Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Tue, 29 Jul 2025 13:29:48 +0000 Subject: Re: [pgjdbc/pgjdbc] issue #3747: Can not set custom PGXmlFactoryFactory In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 3132554556 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3747 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/issues/3747#issuecomment-3132554556 Content-Type: text/plain; charset=utf-8 You're right. I don't think that code ever worked and has been broken since the CVE fix that added it: 14b62aca4764d496813f55a43d050b017e01eb65 You might be the first person to ever actually use it too. Prior to that the XML factory could not be overridden. The override was added as an escape hatch to allow for users that need something separate from the old insecure behavior (via the legacy `LEGACY INSECURE` option) or the new default secure behavior. But the default and legacy processing branches do not perform any of those checks as it directly instantiates them. If you open a PR for this (I think it's just reversing that if-statement) I'll take a look later today.