diff --git a/bundles/org.openhab.binding.enigma2/src/main/java/org/openhab/binding/enigma2/internal/Enigma2Client.java b/bundles/org.openhab.binding.enigma2/src/main/java/org/openhab/binding/enigma2/internal/Enigma2Client.java index 833e87eac..b695105c2 100644 --- a/bundles/org.openhab.binding.enigma2/src/main/java/org/openhab/binding/enigma2/internal/Enigma2Client.java +++ b/bundles/org.openhab.binding.enigma2/src/main/java/org/openhab/binding/enigma2/internal/Enigma2Client.java @@ -81,16 +81,19 @@ public class Enigma2Client { private final Enigma2HttpClient enigma2HttpClient; private final DocumentBuilderFactory factory; - public Enigma2Client(String host, @Nullable String user, @Nullable String password, int requestTimeout) - throws ParserConfigurationException { + public Enigma2Client(String host, @Nullable String user, @Nullable String password, int requestTimeout) { enigma2HttpClient = new Enigma2HttpClient(requestTimeout); factory = DocumentBuilderFactory.newInstance(); // see https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - factory.setXIncludeAware(false); - factory.setExpandEntityReferences(false); + try { + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + } catch (ParserConfigurationException e) { + logger.warn("Failed setting parser features against XXE attacks!", e); + } if (StringUtils.isNotEmpty(user) && StringUtils.isNotEmpty(password)) { this.host = "http://" + user + ":" + password + "@" + host; } else {