From 79787294f034b3009c3de557c6441c9ceba936b8 Mon Sep 17 00:00:00 2001
From: Jiri Vanek <jvanek@redhat.com>
Date: Mon, 30 Aug 2021 13:59:44 +0200
Subject: [PATCH] Fixed SECURITY-2411

---
 .../java/hudson/plugins/nested_view/NestedView.java  | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/main/java/hudson/plugins/nested_view/NestedView.java b/src/main/java/hudson/plugins/nested_view/NestedView.java
index 87e214c..0aa39c3 100644
--- a/src/main/java/hudson/plugins/nested_view/NestedView.java
+++ b/src/main/java/hudson/plugins/nested_view/NestedView.java
@@ -31,6 +31,8 @@
 import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
+
+import javax.xml.XMLConstants;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
@@ -505,10 +507,12 @@ public void updateByXml(Source source) throws IOException {
             // this allows us to use UTF-8 for storing data,
             // plus it checks any well-formedness issue in the submitted
             // data
-            Transformer t = TransformerFactory.newInstance()
-                    .newTransformer();
-            t.transform(source,
-                    new StreamResult(out));
+            TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            Transformer t = factory.newTransformer();
+            t.transform(source, new StreamResult(out));
             out.close();
         } catch (TransformerException e) {
             throw new IOException2("Failed to persist configuration.xml", e);