XML外部实体注入

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java

@@ -1,6 +1,8 @@
 package com.xboe.module.scorm.cam.load;
 
 import java.io.File;
+import java.io.IOException;
+import java.io.StringReader;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -85,6 +87,9 @@ import com.xboe.module.scorm.cam.model.datatype.NonNegativeInteger;
 import com.xboe.module.scorm.cam.model.datatype.Token;
 import com.xboe.module.scorm.cam.model.datatype.VCard;
 import com.xboe.module.scorm.common.CommonUtils;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 @Slf4j
 public class ContentPackageGenerator {
@@ -145,6 +150,15 @@ public class ContentPackageGenerator {
         Document manifestXml;
         try {
         	SAXReader reader = new SAXReader();
+
+            reader.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    // 总是返回空的InputSource来忽略外部实体
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             manifestXml = reader.read(manifestXmlFile);
             
         } catch (DocumentException e) {