veraPDF · MaximPlusov · May 19, 2026
diff --git a/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java b/core/src/main/java/org/verapdf/metadata/fixer/utils/parser/XMLProcessedObjectsParser.java
@@ -23,6 +23,7 @@
 import org.verapdf.metadata.fixer.utils.model.ProcessedObjects;
 import org.verapdf.metadata.fixer.utils.model.RuleDescription;
 import org.verapdf.pdfa.flavours.PDFAFlavour;
+import org.verapdf.xmp.tools.SecureXML;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -86,16 +87,7 @@ public ProcessedObjects getProcessedObjects(String path)
     @Override
     public ProcessedObjects getProcessedObjects(InputStream xml)
             throws ParserConfigurationException, IOException, SAXException {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        } catch (Exception e) {
-            LOGGER.log(Level.WARNING, "Unable to secure xml processing");
-        }
-        DocumentBuilder builder = factory.newDocumentBuilder();
-
-        factory.setIgnoringElementContentWhitespace(true);
-
+        DocumentBuilder builder = SecureXML.newSafeDocumentBuilder();
         Document doc = builder.parse(xml);
 
         Node root = doc.getDocumentElement();

diff --git a/core/src/main/java/org/verapdf/report/XmpHandler.java b/core/src/main/java/org/verapdf/report/XmpHandler.java
@@ -24,6 +24,7 @@
 package org.verapdf.report;
 
 import org.verapdf.features.tools.FeatureTreeNode;
+import org.verapdf.xmp.tools.SecureXML;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.xml.sax.InputSource;
@@ -137,14 +138,7 @@ public static Node parseMetadataRootElement(FeatureTreeNode metadataNode)
 		if (is == null) {
 			return null;
 		}
-		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-		try {
-			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-		} catch (Exception e) {
-			LOGGER.log(Level.WARNING, "Unable to secure metadata processing");
-		}
-		factory.setNamespaceAware(true);
-		DocumentBuilder builder = factory.newDocumentBuilder();
+		DocumentBuilder builder = SecureXML.newSafeDocumentBuilder();
 		Document metadataDocument = builder.parse(is);
 		return metadataDocument.getDocumentElement();
 	}

diff --git a/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java b/xmp-core/src/main/java/org/verapdf/xmp/impl/XMPMetaParser.java
@@ -16,11 +16,10 @@
 import java.io.StringReader;
 import java.io.UnsupportedEncodingException;
 
-import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import org.verapdf.xmp.tools.SecureXML;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
@@ -47,7 +46,6 @@ public class XMPMetaParser
 	/**  */
 	private static final Object XMP_RDF = new Object();
 	/** the DOM Parser Factory, options are set */ 
-	private static DocumentBuilderFactory factory = createDocumentBuilderFactory();
 	//------------------------------------------------------------------------------ veraPDF: additional field for actual encoding used for XMP package serialization
 	private String actualEncoding;
 
@@ -280,8 +278,7 @@ private Document parseInputSource(InputSource source) throws XMPException
 	{
 		try
 		{
-			DocumentBuilder builder = factory.newDocumentBuilder();
-			builder.setErrorHandler(null);
+			DocumentBuilder builder = SecureXML.newSafeDocumentBuilder();
 			return builder.parse(source);
 		}
 		catch (SAXException e)
@@ -395,29 +392,4 @@ else if (!xmpmetaRequired  &&
 		return null;
 		//     is extracted here in the C++ Toolkit		
 	}
-
-
-	/**
-	 * @return Creates, configures and returnes the document builder factory for
-	 *         the Metadata Parser.
-	 */
-	private static DocumentBuilderFactory createDocumentBuilderFactory()
-	{
-		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-		factory.setNamespaceAware(true);
-		factory.setIgnoringComments(true);
-
-		try
-		{
-			// honor System parsing limits, e.g.
-			// System.setProperty("entityExpansionLimit", "10");
-			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-		}
-		catch (Exception e)
-		{
-			// Ignore IllegalArgumentException and ParserConfigurationException
-			// in case the configured XML-Parser does not implement the feature.
-		}		
-		return factory;
-	}
 }
diff --git a/xmp-core/src/main/java/org/verapdf/xmp/tools/SecureXML.java b/xmp-core/src/main/java/org/verapdf/xmp/tools/SecureXML.java
@@ -0,0 +1,47 @@
+package org.verapdf.xmp.tools;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+public class SecureXML {
+
+    private static DocumentBuilderFactory factory = createDocumentBuilderFactory();
+
+    public static DocumentBuilder newSafeDocumentBuilder() throws ParserConfigurationException {
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        builder.setErrorHandler(null);
+        return builder;
+    }
+
+    /**
+     * @return Creates, configures and returns the document builder factory for
+     *         the Metadata Parser.
+     */
+    private static DocumentBuilderFactory createDocumentBuilderFactory()
+    {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setNamespaceAware(true);
+        factory.setIgnoringComments(true);
+        try
+        {
+            // honor System parsing limits, e.g.
+            // System.setProperty("entityExpansionLimit", "10");
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("[http://apache.org/xml/features/disallow-doctype-decl](http://apache.org/xml/features/disallow-doctype-decl)", true);
+            factory.setFeature("[http://xml.org/sax/features/external-general-entities](http://xml.org/sax/features/external-general-entities)", false);
+            factory.setFeature("[http://xml.org/sax/features/external-parameter-entities](http://xml.org/sax/features/external-parameter-entities)", false);
+            factory.setFeature("[http://apache.org/xml/features/nonvalidating/load-external-dtd](http://apache.org/xml/features/nonvalidating/load-external-dtd)", false);
+            factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
+            factory.setIgnoringElementContentWhitespace(true);
+        }
+        catch (Exception e)
+        {
+            // Ignore IllegalArgumentException and ParserConfigurationException
+            // in case the configured XML-Parser does not implement the feature.
+        }
+        return factory;
+    }
+}