fixes bug 40644: centralize in XMLUtils creation of objects to deal with XML
authorCarlos Aristu <carlos.aristu@openbravo.com>
Thu, 02 May 2019 16:41:04 +0200
changeset 35624 a22198c21e23
parent 35623 f6572fcebdf7
child 35625 4f276eb2112c
fixes bug 40644: centralize in XMLUtils creation of objects to deal with XML
src-test/src/org/openbravo/test/dal/IssuesTest.java
src-test/src/org/openbravo/test/webservice/BaseWSTest.java
src/org/openbravo/base/provider/OBProviderConfigReader.java
src/org/openbravo/base/secureApp/LoginUtils.java
src/org/openbravo/base/session/OBPropertiesProvider.java
src/org/openbravo/dal/xml/EntityExcelXMLConverter.java
src/org/openbravo/dal/xml/EntityXMLConverter.java
src/org/openbravo/dal/xml/XMLUtil.java
src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
src/org/openbravo/erpCommon/modules/ImportModule.java
src/org/openbravo/erpCommon/utility/ISOCurrencyPrecision.java
src/org/openbravo/service/rest/DalWebService.java
src/org/openbravo/service/web/WebServiceUtil.java
--- a/src-test/src/org/openbravo/test/dal/IssuesTest.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src-test/src/org/openbravo/test/dal/IssuesTest.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2009-2018 Openbravo SLU 
+ * All portions are Copyright (C) 2009-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -75,6 +75,7 @@
 import org.openbravo.dal.service.OBDal;
 import org.openbravo.dal.service.OBQuery;
 import org.openbravo.dal.xml.XMLEntityConverter;
+import org.openbravo.dal.xml.XMLUtil;
 import org.openbravo.data.UtilSql;
 import org.openbravo.model.ad.access.Role;
 import org.openbravo.model.ad.access.User;
@@ -563,7 +564,7 @@
     // for a webservice referenced entities should not be created at all!
     xec.getEntityResolver().setOptionCreateReferencedIfNotFound(false);
 
-    final SAXReader reader = new SAXReader();
+    final SAXReader reader = XMLUtil.getInstance().newSAXReader();
     final Document document = reader.read(this.getClass().getResourceAsStream("test_13281.xml"));
     final List<BaseOBObject> result = xec.process(document);
     assertEquals(1, result.size());
--- a/src-test/src/org/openbravo/test/webservice/BaseWSTest.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src-test/src/org/openbravo/test/webservice/BaseWSTest.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2014 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -160,7 +160,7 @@
       String retContent;
 
       if (validateXML) {
-        final SAXReader sr = new SAXReader();
+        final SAXReader sr = XMLUtil.getInstance().newSAXReader();
         final InputStream is = hc.getInputStream();
         final Document doc = sr.read(is);
         retContent = XMLUtil.getInstance().toString(doc);
@@ -251,7 +251,7 @@
     try {
       final HttpURLConnection hc = createConnection(wsPart, "GET");
       hc.connect();
-      final SAXReader sr = new SAXReader();
+      final SAXReader sr = XMLUtil.getInstance().newSAXReader();
       final InputStream is = hc.getInputStream();
       final StringBuilder sb = new StringBuilder();
       BufferedReader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
--- a/src/org/openbravo/base/provider/OBProviderConfigReader.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/base/provider/OBProviderConfigReader.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2011 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -29,6 +29,7 @@
 import org.dom4j.io.SAXReader;
 import org.openbravo.base.util.Check;
 import org.openbravo.base.util.OBClassLoader;
+import org.openbravo.dal.xml.XMLUtil;
 
 /**
  * Reads the provider config file and processes it. The provider config file can be used to
@@ -42,7 +43,7 @@
 
   void read(String prefix, InputStream is) {
     try {
-      final SAXReader reader = new SAXReader();
+      final SAXReader reader = XMLUtil.getInstance().newSAXReader();
       final Document doc = reader.read(is);
       process(prefix, doc);
     } catch (final Exception e) {
@@ -52,7 +53,7 @@
 
   void read(String prefix, String fileLocation) {
     try {
-      final SAXReader reader = new SAXReader();
+      final SAXReader reader = XMLUtil.getInstance().newSAXReader();
       final Document doc = reader.read(new FileInputStream(fileLocation));
       process(prefix, doc);
     } catch (final Exception e) {
--- a/src/org/openbravo/base/secureApp/LoginUtils.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/base/secureApp/LoginUtils.java	Thu May 02 16:41:04 2019 +0200
@@ -1,6 +1,6 @@
 /*
  ************************************************************************************
- * Copyright (C) 2001-2018 Openbravo S.L.U.
+ * Copyright (C) 2001-2019 Openbravo S.L.U.
  * Licensed under the Apache Software License version 2.0
  * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
  * Unless required by applicable law or agreed to  in writing,  software  distributed
@@ -20,7 +20,6 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
@@ -33,6 +32,7 @@
 import org.openbravo.dal.security.OrganizationStructureProvider;
 import org.openbravo.dal.service.OBDal;
 import org.openbravo.dal.service.OBQuery;
+import org.openbravo.dal.xml.XMLUtil;
 import org.openbravo.database.ConnectionProvider;
 import org.openbravo.erpCommon.businessUtility.Preferences;
 import org.openbravo.erpCommon.security.SessionLogin;
@@ -502,8 +502,7 @@
 
     try {
       // Reading number format configuration
-      final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
-      final DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+      final DocumentBuilder docBuilder = XMLUtil.getInstance().newDocumentBuilder();
       final Document doc = docBuilder.parse(new File(strFormatFile));
       doc.getDocumentElement().normalize();
       final NodeList listOfNumbers = doc.getElementsByTagName("Number");
--- a/src/org/openbravo/base/session/OBPropertiesProvider.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/base/session/OBPropertiesProvider.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2015 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -33,6 +33,7 @@
 import org.openbravo.base.ConfigParameters;
 import org.openbravo.base.exception.OBException;
 import org.openbravo.base.provider.OBConfigFileProvider;
+import org.openbravo.dal.xml.XMLUtil;
 
 /**
  * This class implements a central location where the Openbravo.properties are read and made
@@ -81,7 +82,7 @@
       final File file = getFileFromDevelopmentPath("Format.xml");
       if (file != null) {
         try {
-          SAXReader reader = new SAXReader();
+          SAXReader reader = XMLUtil.getInstance().newSAXReader();
           formatXML = reader.read(new FileReader(file));
         } catch (Exception e) {
           throw new IllegalStateException(e);
@@ -93,7 +94,7 @@
 
   public void setFormatXML(InputStream is) {
     try {
-      SAXReader reader = new SAXReader();
+      SAXReader reader = XMLUtil.getInstance().newSAXReader();
       formatXML = reader.read(is);
     } catch (Exception e) {
       throw new IllegalStateException(e);
--- a/src/org/openbravo/dal/xml/EntityExcelXMLConverter.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/dal/xml/EntityExcelXMLConverter.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2011 Openbravo SLU 
+ * All portions are Copyright (C) 2011-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -28,7 +28,6 @@
 
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.sax.SAXTransformerFactory;
 import javax.xml.transform.sax.TransformerHandler;
 import javax.xml.transform.stream.StreamResult;
 
@@ -92,9 +91,8 @@
     dateFormat = new SimpleDateFormat(dateFormatStr);
     dateTimeFormat = new SimpleDateFormat(dateTimeFormatStr);
     final StreamResult streamResult = new StreamResult(output);
-    final SAXTransformerFactory tf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
 
-    xmlHandler = tf.newTransformerHandler();
+    xmlHandler = XMLUtil.getInstance().newSAXTransformerHandler();
 
     // do some form of pretty printing...
     final Transformer serializer = xmlHandler.getTransformer();
--- a/src/org/openbravo/dal/xml/EntityXMLConverter.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/dal/xml/EntityXMLConverter.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2017 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -32,7 +32,6 @@
 
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
-import javax.xml.transform.sax.SAXTransformerFactory;
 import javax.xml.transform.sax.TransformerHandler;
 import javax.xml.transform.stream.StreamResult;
 
@@ -155,12 +154,10 @@
   // initialize the sax handlers
   private void initializeSax() throws Exception {
     final StreamResult streamResult = new StreamResult(output);
-    final SAXTransformerFactory tf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
-
-    xmlHandler = tf.newTransformerHandler();
+    xmlHandler = XMLUtil.getInstance().newSAXTransformerHandler();
 
     // do some form of pretty printing...
-    final Transformer serializer = xmlHandler.getTransformer();
+    Transformer serializer = xmlHandler.getTransformer();
     serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
     serializer.setOutputProperty(OutputKeys.VERSION, "1.0");
     serializer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
--- a/src/org/openbravo/dal/xml/XMLUtil.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/dal/xml/XMLUtil.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2010 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -21,16 +21,26 @@
 
 import java.io.StringWriter;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.sax.SAXTransformerFactory;
+import javax.xml.transform.sax.TransformerHandler;
+
 import org.dom4j.Document;
 import org.dom4j.DocumentHelper;
 import org.dom4j.Element;
 import org.dom4j.Namespace;
 import org.dom4j.QName;
 import org.dom4j.io.OutputFormat;
+import org.dom4j.io.SAXReader;
 import org.dom4j.io.XMLWriter;
 import org.openbravo.base.exception.OBException;
 import org.openbravo.base.provider.OBProvider;
 import org.openbravo.base.provider.OBSingleton;
+import org.xml.sax.SAXException;
 
 /**
  * Utility class for XML processing.
@@ -59,8 +69,45 @@
 
   /** @return a new Dom4j Document */
   public Document createDomDocument() {
-    final Document document = DocumentHelper.createDocument();
-    return document;
+    return DocumentHelper.createDocument();
+  }
+
+  /** @return a new secure {@link DocumentBuilder} */
+  public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
+    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    factory.setXIncludeAware(false);
+    factory.setExpandEntityReferences(false);
+    return factory.newDocumentBuilder();
+  }
+
+  /** @return a new secure {@link TransformerHandler} */
+  public TransformerHandler newSAXTransformerHandler() throws TransformerConfigurationException {
+    final SAXTransformerFactory tf = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
+    tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
+    tf.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+
+    return tf.newTransformerHandler();
+  }
+
+  /** @return a new secure {@link SAXReader} */
+  public SAXReader newSAXReader() throws SAXException {
+    final SAXReader reader = new SAXReader();
+    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    return reader;
+  }
+
+  /** @return a new secure {@link TransformerFactory} */
+  public TransformerFactory newTransformerFactory() {
+    TransformerFactory factory = TransformerFactory.newInstance();
+    factory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
+    factory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
+    return factory;
   }
 
   /**
--- a/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java	Thu May 02 16:41:04 2019 +0200
@@ -10,7 +10,7 @@
  * Portions created by Jorg Janke are Copyright (C) 1999-2001 Jorg Janke, parts
  * created by ComPiere are Copyright (C) ComPiere, Inc.;   All Rights Reserved.
  * Contributor(s): Openbravo SLU
- * Contributions are Copyright (C) 2001-2013 Openbravo S.L.U.
+ * Contributions are Copyright (C) 2001-2019 Openbravo S.L.U.
  ******************************************************************************/
 package org.openbravo.erpCommon.ad_forms;
 
@@ -24,12 +24,12 @@
 import java.sql.SQLException;
 import java.sql.Statement;
 
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
@@ -41,6 +41,7 @@
 import org.apache.logging.log4j.Logger;
 import org.openbravo.base.exception.OBException;
 import org.openbravo.base.session.OBPropertiesProvider;
+import org.openbravo.dal.xml.XMLUtil;
 import org.openbravo.database.ConnectionProvider;
 import org.openbravo.erpCommon.ad_process.buildStructure.Build;
 import org.openbravo.erpCommon.ad_process.buildStructure.BuildTranslation;
@@ -289,27 +290,39 @@
       String AD_Language) {
     final File out = new File(directory, CONTRIBUTORS_FILENAME + "_" + AD_Language + ".xml");
     try {
-      final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-      final DocumentBuilder builder = factory.newDocumentBuilder();
-      final Document document = builder.newDocument();
+      final Document document = newDocument();
       final Element root = document.createElement(XML_CONTRIB);
       root.setAttribute(XML_ATTRIBUTE_LANGUAGE, AD_Language);
       document.appendChild(root);
       root.appendChild(
           document.createTextNode(TranslationData.selectContributors(conn, AD_Language)));
       final DOMSource source = new DOMSource(document);
-      final TransformerFactory tFactory = TransformerFactory.newInstance();
-      final Transformer transformer = tFactory.newTransformer();
+
       // Output
       out.createNewFile();
       final StreamResult result = new StreamResult(out);
       // Transform
-      transformer.transform(source, result);
+      newTransformer().transform(source, result);
     } catch (final Exception e) {
       log4j.error("exportTrl", e);
     }
   }
 
+  private static Document newDocument() throws ParserConfigurationException {
+    return XMLUtil.getInstance().newDocumentBuilder().newDocument();
+  }
+
+  private static Transformer newTransformer() throws TransformerConfigurationException {
+    TransformerFactory tFactory = XMLUtil.getInstance().newTransformerFactory();
+    tFactory.setAttribute("indent-number", 2);
+
+    Transformer transformer = tFactory.newTransformer();
+    transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
+    transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+
+    return transformer;
+  }
+
   private static void exportReferenceData(ConnectionProvider conn, String rootDirectory,
       String AD_Language) {
     try {
@@ -514,8 +527,6 @@
       int rows = 0;
       boolean hasRows = false;
 
-      DocumentBuilderFactory factory = null;
-      DocumentBuilder builder = null;
       Document document = null;
       Element root = null;
       File out = null;
@@ -523,9 +534,8 @@
       // Create xml file
 
       String directory = "";
-      factory = DocumentBuilderFactory.newInstance();
-      builder = factory.newDocumentBuilder();
-      document = builder.newDocument();
+
+      document = newDocument();
       // Root
       root = document.createElement(XML_TAG);
       root.setAttribute(XML_ATTRIBUTE_LANGUAGE, AD_Language);
@@ -553,9 +563,7 @@
           // or it is not rd
           hasRows = true;
 
-          factory = DocumentBuilderFactory.newInstance();
-          builder = factory.newDocumentBuilder();
-          document = builder.newDocument();
+          document = newDocument();
           // Root
           root = document.createElement(XML_TAG);
           root.setAttribute(XML_ATTRIBUTE_LANGUAGE, AD_Language);
@@ -612,16 +620,11 @@
       log4j.info("exportTrl - Records=" + rows + ", DTD=" + document.getDoctype());
 
       final DOMSource source = new DOMSource(document);
-      final TransformerFactory tFactory = TransformerFactory.newInstance();
-      tFactory.setAttribute("indent-number", 2);
-      final Transformer transformer = tFactory.newTransformer();
-      transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
-      transformer.setOutputProperty(OutputKeys.INDENT, "yes");
       // Output
       out.createNewFile();
       // Transform
       final OutputStreamWriter osw = new OutputStreamWriter(new FileOutputStream(out), "UTF-8");
-      transformer.transform(source, new StreamResult(osw));
+      newTransformer().transform(source, new StreamResult(osw));
       osw.close();
     } catch (final Exception e) {
       log4j.error("Error exporting translation for table " + table + "\n" + sql, e);
--- a/src/org/openbravo/erpCommon/modules/ImportModule.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/erpCommon/modules/ImportModule.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2018 Openbravo SLU 
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -44,7 +44,6 @@
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletResponse;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -67,6 +66,7 @@
 import org.openbravo.dal.core.OBInterceptor;
 import org.openbravo.dal.service.OBCriteria;
 import org.openbravo.dal.service.OBDal;
+import org.openbravo.dal.xml.XMLUtil;
 import org.openbravo.database.ConnectionProvider;
 import org.openbravo.ddlutils.task.DatabaseUtils;
 import org.openbravo.erpCommon.ad_forms.MaturityLevel;
@@ -1186,8 +1186,8 @@
       return;
     }
     log4j.info("Adding .claspath entries");
-    final DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
-    final DocumentBuilder docBuilder = docFactory.newDocumentBuilder();
+
+    final DocumentBuilder docBuilder = XMLUtil.getInstance().newDocumentBuilder();
     final Document doc = docBuilder.parse(obDir + "/.classpath");
     for (final DynaBean module : dModulesToInstall) {
       final String dir = "modules/" + (String) module.get("JAVAPACKAGE") + "/src";
@@ -1199,7 +1199,9 @@
     }
 
     // Save the modified xml file to .classpath file
-    final Transformer transformer = TransformerFactory.newInstance().newTransformer();
+    TransformerFactory tFactory = XMLUtil.getInstance().newTransformerFactory();
+
+    final Transformer transformer = tFactory.newTransformer();
     transformer.setOutputProperty(OutputKeys.INDENT, "yes");
     final FileOutputStream fout = new FileOutputStream(obDir + "/.classpath");
     final StreamResult result = new StreamResult(fout);
--- a/src/org/openbravo/erpCommon/utility/ISOCurrencyPrecision.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/erpCommon/utility/ISOCurrencyPrecision.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License.
  * The Original Code is Openbravo ERP.
  * The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2017 Openbravo SLU
+ * All portions are Copyright (C) 2017-2019 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  *************************************************************************
@@ -24,13 +24,13 @@
 import java.util.Date;
 
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.openbravo.base.exception.OBException;
+import org.openbravo.dal.xml.XMLUtil;
 import org.openbravo.erpCommon.ad_callouts.SL_Currency_StdPrecision;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -93,9 +93,8 @@
       if (isoXMLDoc == null) {
         return null;
       }
-      DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
-      DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
 
+      DocumentBuilder dBuilder = XMLUtil.getInstance().newDocumentBuilder();
       Document doc = dBuilder.parse(isoXMLDoc);
       doc.getDocumentElement().normalize();
       long t2 = System.currentTimeMillis();
--- a/src/org/openbravo/service/rest/DalWebService.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/service/rest/DalWebService.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2017 Openbravo SLU
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU
  * All Rights Reserved.
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -523,10 +523,7 @@
     // }
 
     try {
-      final SAXReader reader = new SAXReader();
-      reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
-      reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-      reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      final SAXReader reader = XMLUtil.getInstance().newSAXReader();
       final Document document = reader.read(request.getInputStream());
 
       // now parse the xml and let it be translated to a set of
--- a/src/org/openbravo/service/web/WebServiceUtil.java	Thu Apr 11 08:32:00 2019 +0200
+++ b/src/org/openbravo/service/web/WebServiceUtil.java	Thu May 02 16:41:04 2019 +0200
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2008-2015 Openbravo SLU
+ * All portions are Copyright (C) 2008-2019 Openbravo SLU
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -236,7 +236,8 @@
       // the entity name in the url. For example:
       // https://livebuilds.openbravo.com/erp_main_pgsql/ws/dal/ADUser/100
       String regExp = "^(.*)[dal]+[\\/][A-Za-z0-9]+[\\/][A-Za-z0-9]+";
-      final TransformerFactory factory = TransformerFactory.newInstance();
+      final TransformerFactory factory = XMLUtil.getInstance().newTransformerFactory();
+
       final Transformer transformer = factory.newTransformer(new StreamSource(template));
       final DocumentSource source = new DocumentSource(DocumentHelper.parseText(xml));
       final StringWriter sw = new StringWriter();