From 382860304b2efbf837cb3fcbbe806c81c27bf6b1 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Fri, 24 Sep 2021 14:15:26 -0400
Subject: [PATCH] fix(jruby): SAX parser uses an entity resolver

to avoid XXE injections.

This behavior now matches the CRuby implementation.
---
 ext/java/nokogiri/XmlSaxParserContext.java |  1 +
 test/xml/sax/test_parser.rb                | 33 ++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/ext/java/nokogiri/XmlSaxParserContext.java b/ext/java/nokogiri/XmlSaxParserContext.java
index 5727a10..e614ce9 100644
--- a/ext/java/nokogiri/XmlSaxParserContext.java
+++ b/ext/java/nokogiri/XmlSaxParserContext.java
@@ -227,6 +227,7 @@ public class XmlSaxParserContext extends ParserContext {
 	preParse(runtime, handlerRuby, handler);
 	parser.setContentHandler(handler);
 	parser.setErrorHandler(handler);
+	parser.setEntityResolver(new NokogiriEntityResolver(runtime, errorHandler, options));
 
         try{
 	    parser.setProperty("http://xml.org/sax/properties/lexical-handler", handler);
-- 
2.27.0