Pull request #142: [EDELIVERY-13369] add scheme validation for the sample extension

Merge in EDELIVERY/smp from bugfix/EDELIVERY-13369-sa-domismp-it3-3.5-cross-site-scripting-dom-and-3.8-open-redirect to development

* commit '6c177cca':
  [EDELIVERY-13369] add scheme validation for the sample extension

smp-resource-extensions/oasis-cppa3-spi/src/main/java/eu/europa/ec/smp/spi/handler/AbstractHandler.java

@@ -67,11 +67,8 @@ public abstract class AbstractHandler implements ResourceHandlerSpi {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setNamespaceAware(true);
         factory.setValidating(true);
-        try {
-            factory.setFeature(DISALLOW_DOCTYPE_FEATURE, true);
-        } catch (ParserConfigurationException e) {
-            LOG.warn("DocumentBuilderFactory initialization error. The feature [{}] is not supported by current factory. The feature is ignored.", DISALLOW_DOCTYPE_FEATURE);
-        }
+        enableFeature(factory, DISALLOW_DOCTYPE_FEATURE);
+        enableFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING);
 
         try {
             return factory.newDocumentBuilder();
@@ -80,6 +77,16 @@ public abstract class AbstractHandler implements ResourceHandlerSpi {
         }
     }
 
+    private static boolean enableFeature(DocumentBuilderFactory factory, String feature) {
+        try {
+            factory.setFeature(feature, true);
+            return true;
+        } catch (ParserConfigurationException e) {
+            LOG.warn("DocumentBuilderFactory initialization error. The feature [{}] is not supported by current factory. The feature is ignored.", feature);
+            return false;
+        }
+    }
+
     private static final ThreadLocal<Unmarshaller> jaxbUnmarshaller = ThreadLocal.withInitial(() -> {
         try {
             JAXBContext jaxbContext = JAXBContext.newInstance(CPP.class);