Do not use WebLogic servlet attributes for XML parsing

This rule detects the use of WebLogic setAttribute and getAttribute attributes for parsing XML. This rule detects the Java code. A separate rule detects the use of the WebLogic weblogic.servlet.XMLParsingHelper, which enables this feature.

The following cases are detected:
  1. All method invocations of setAttribute , where the first argument is a string literal with any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
    request.setAttribute("org.xml.sax.helpers.DefaultHandler", someObject)

  2. All method invocations of setAttribute , where the first argument is a reference to a string variable or a string field and that variable or field is initialized to any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
       String handler = "org.xml.sax.helpers.DefaultHandler";
       request.setAttribute(handler, someObject);

  3. All method invocations of getAttribute , where the argument is a string literal with any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example: Document myDocument = request.getAttribute("org.w3c.dom.Document")

  4. All method invocations of getAttribute , where the argument is a reference to a string variable or a string field and that variable or field is initialized to any of the following values:
    • org.xml.sax.helpers.DefaultHandler
    • org.xml.sax.HandlerBase
    • org.w3c.dom.Document

    Example:
       String handler = "org.w3c.dom.Document";
       Document myDoc = request.getAttribute(handler);


. Depending on how the code is structured, the automated fix will offer any of the following options:
  1. Delete the method call.

    Examples:
       request.setAttribute("org.xml.sax.helpers.DefaultHandler", myHandler);
       request.getAttribute("org.w3c.dom.Document");
    When the automated fix is applied to the previous lines, those lines are deleted.
    Note: Verify that the object, myHandler , is initialized in other ways if it is used within the code later.

  2. Delete the variable initializer section.

    Examples:
       Document myDocument = request.getAttribute("org.w3c.dom.Document");
    When the automated fix is applied, the previous code is changed to:
       Document myDocument;
    Note: Verify that the object, myDocument , is initialized in other ways if it is used within the code later.