From 563f96e3f28e5c3c978da1502e1e1e7fa4a5ee54 Mon Sep 17 00:00:00 2001
From: Jody Garnett <jody.garnett@gmail.com>
Date: Thu, 21 May 2026 16:52:55 -0700
Subject: [PATCH 1/5] Add PMD rules to check and recommend use of XMLUtils

---
 geowebcache/pmd-ruleset.xml | 137 +++++++++++++++++++++++++++++++++++-
 1 file changed, 136 insertions(+), 1 deletion(-)

diff --git a/geowebcache/pmd-ruleset.xml b/geowebcache/pmd-ruleset.xml
index 4031bf176..78b495ef7 100644
--- a/geowebcache/pmd-ruleset.xml
+++ b/geowebcache/pmd-ruleset.xml
@@ -114,5 +114,140 @@ GeoWebCache ruleset. See https://pmd.github.io/pmd/pmd_userdocs_making_rulesets.
     <properties>
       <property name="reportLevel" value="140"/>
     </properties>
-  </rule>	 
+  </rule>
+  
+  <rule name="AvoidDocumentBuilderFactory"
+        language="java"
+        message="Do not use DocumentBuildeFactory instance directly; recommend XMLUtils.newDocumentBuilderFactory()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of DocumentBuilderFactory.newInstance() which should be avoided in favor of
+      XMLUtils.DocumentBuilderFactory(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+          <value>
+              <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.parsers.DocumentBuilderFactory#newInstance()")]
+              ]]>
+          </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidDocumentBuilder"
+        language="java"
+        message="Do not use DocumentBuilder directly; recommend XMLUtils.newDocumentBuilder()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of DocumentBuilderFactory.newDocumentBuilder() which should be avoided in favor of
+      XMLUtils.newDocumentBuilder(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+          <value>
+              <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.parsers.DocumentBuilderFactory#newDocumentBuilder()")]
+              ]]>
+          </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidTransformFactory"
+        language="java"
+        message="Do not use TransformerFactory directly; recommend XMLUtils.newInstance()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of TransformerFactory.newInstance() which should be avoided in favor of
+      XMLUtils.newTransformerFactory(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+          <value>
+              <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.transform.TransformerFactory#newInstance()")]
+              ]]>
+          </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidTransformer"
+        language="java"
+        message="Do not use TransformerFactory.newTransformer() directly; recommend XMLUtils.newTransformer()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of TransformerFactory.newTransformer() which should be avoided in favor of
+      XMLUtils.newTransformer(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+        <value>
+          <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.transform.TransformerFactory#newTransformer()")]
+              ]]>
+        </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidTransformerSource"
+        language="java"
+        message="Do not use TransformerFactory.newTransformer(source) directly; recommend XMLUtils.newTransformer(source)"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of TransformerFactory.newTransformer(Source) which should be avoided in favor of
+      XMLUtils.newTransformer(Source,Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+        <value>
+          <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.transform.TransformerFactory#newTransformer(javax.xml.transform.Source)")]
+              ]]>
+        </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidSAXParserFactory"
+        language="java"
+        message="Do not use ParserFactory.newInstance() directly; recommend XMLUtils.newSAXParserFactory()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of SAXParserFactory.newInstance() which should be avoided in favor of
+      XMLUtils.newSAXParserFactory(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+        <value>
+          <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.parsers.SAXParserFactory#newInstance()")]
+              ]]>
+        </value>
+      </property>
+    </properties>
+  </rule>
+  <rule name="AvoidSaxParser"
+        language="java"
+        message="Do not use SAXParserFactory.newSAXParser() directly; recommend XMLUtils.newSAXParser()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of SAXParserFactory.newSAXParser() which should be avoided in favor of
+      XMLUtils.newSAXParser(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+        <value>
+          <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.parsers.SAXParserFactory#newInstance()")]
+              ]]>
+        </value>
+      </property>
+    </properties>
+  </rule>
+  
 </ruleset>

From ca489394d47e68aee927614c9e11592b5cdebfe8 Mon Sep 17 00:00:00 2001
From: Pierre Mauduit <pierre.mauduit@camptocamp.com>
Date: Thu, 21 May 2026 17:50:21 +0200
Subject: [PATCH 2/5] using GT utility classes for XML parsing/producing

---
 geowebcache/core/pom.xml                                  | 4 ++++
 .../java/org/geowebcache/config/XMLConfiguration.java     | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/geowebcache/core/pom.xml b/geowebcache/core/pom.xml
index d309d9b99..05cf22068 100644
--- a/geowebcache/core/pom.xml
+++ b/geowebcache/core/pom.xml
@@ -23,6 +23,10 @@
       <groupId>org.geotools</groupId>
       <artifactId>gt-coverage</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.geotools</groupId>
+      <artifactId>gt-xml</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-collections4</artifactId>
diff --git a/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java b/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
index 7c330fb78..6e0cb24cf 100644
--- a/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
+++ b/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
@@ -45,7 +45,6 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.TransformerFactoryConfigurationError;
 import javax.xml.transform.dom.DOMResult;
 import javax.xml.transform.dom.DOMSource;
@@ -54,6 +53,7 @@
 import javax.xml.validation.SchemaFactory;
 import javax.xml.validation.Validator;
 import org.geotools.util.logging.Logging;
+import org.geotools.xml.XMLUtils;
 import org.geowebcache.GeoWebCacheEnvironment;
 import org.geowebcache.GeoWebCacheException;
 import org.geowebcache.GeoWebCacheExtensions;
@@ -616,7 +616,7 @@ static Node loadDocument(InputStream xmlFile) throws ConfigurationException, IOE
         try {
             DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
             docBuilderFactory.setNamespaceAware(true);
-            DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+            DocumentBuilder docBuilder = XMLUtils.newDocumentBuilder(docBuilderFactory);
             topNode = checkAndTransform(docBuilder.parse(xmlFile));
         } catch (Exception e) {
             throw (IOException) new IOException(e.getMessage()).initCause(e);
@@ -758,7 +758,7 @@ static String getCurrentSchemaVersion() {
 
         Document dom;
         try (InputStream is = XMLConfiguration.class.getResourceAsStream("geowebcache.xsd")) {
-            dom = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(is);
+            dom = XMLUtils.newDocumentBuilder().parse(is);
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -777,7 +777,7 @@ private static Node applyTransform(Node oldRootNode, String xslFilename) {
         try (InputStream is = XMLConfiguration.class.getResourceAsStream(xslFilename)) {
 
             try {
-                transformer = TransformerFactory.newInstance().newTransformer(new StreamSource(is));
+                transformer = XMLUtils.newTransformer(new StreamSource(is));
                 transformer.transform(new DOMSource(oldRootNode), result);
             } catch (TransformerFactoryConfigurationError | TransformerException e) {
                 log.log(Level.FINE, e.getMessage(), e);

From 964d1a0192067391bb36d992ef816a7338f6f530 Mon Sep 17 00:00:00 2001
From: Pierre Mauduit <pierre.mauduit@camptocamp.com>
Date: Tue, 26 May 2026 12:05:42 +0200
Subject: [PATCH 3/5] GeoRSSReader: making use of XMLUtils utility class from
 GT

---
 .../src/main/java/org/geowebcache/georss/StaxGeoRSSReader.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/geowebcache/georss/src/main/java/org/geowebcache/georss/StaxGeoRSSReader.java b/geowebcache/georss/src/main/java/org/geowebcache/georss/StaxGeoRSSReader.java
index f6a26af12..53f166c68 100644
--- a/geowebcache/georss/src/main/java/org/geowebcache/georss/StaxGeoRSSReader.java
+++ b/geowebcache/georss/src/main/java/org/geowebcache/georss/StaxGeoRSSReader.java
@@ -33,6 +33,7 @@
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 import org.geotools.util.logging.Logging;
+import org.geotools.xml.XMLUtils;
 import org.geowebcache.georss.GML31ParsingUtils.GML;
 import org.locationtech.jts.geom.Geometry;
 
@@ -77,7 +78,7 @@ private static final class GEORSS {
     private final GML31ParsingUtils gmlParser;
 
     public StaxGeoRSSReader(final Reader feed) throws XMLStreamException, FactoryConfigurationError {
-        XMLInputFactory factory = XMLInputFactory.newInstance();
+        XMLInputFactory factory = XMLUtils.newXMLInputFactory();
         reader = factory.createXMLStreamReader(feed);
 
         reader.nextTag();

From 6740b901fac88c1d2aff33064b83bc42bfbc23db Mon Sep 17 00:00:00 2001
From: Pierre Mauduit <pierre.mauduit@camptocamp.com>
Date: Tue, 26 May 2026 12:23:18 +0200
Subject: [PATCH 4/5] Adding a PMD rule to avoid direct calls to
 XMLInputFactory.newInstance()

---
 geowebcache/pmd-ruleset.xml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/geowebcache/pmd-ruleset.xml b/geowebcache/pmd-ruleset.xml
index 78b495ef7..3dcc17d3f 100644
--- a/geowebcache/pmd-ruleset.xml
+++ b/geowebcache/pmd-ruleset.xml
@@ -249,5 +249,25 @@ GeoWebCache ruleset. See https://pmd.github.io/pmd/pmd_userdocs_making_rulesets.
       </property>
     </properties>
   </rule>
-  
+
+  <rule name="AvoidXMLInputFactory"
+        language="java"
+        message="Do not use XMLInputFactory.newInstance() directly; recommend XMLUtils.newXMLInputFactory()"
+        class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
+    <description>
+      Notice use of SAXParserFactory.newSAXParser() which should be avoided in favor of
+      XMLUtils.newSAXParser(Hints) to respect GeoTools init configuration.
+    </description>
+    <priority>3</priority>
+    <properties>
+      <property name="xpath">
+        <value>
+          <![CDATA[
+              //MethodCall[pmd-java:matchesSig("javax.xml.stream.XMLInputFactory#newInstance()")]
+              ]]>
+        </value>
+      </property>
+    </properties>
+  </rule>
+
 </ruleset>

From 09081f5ee7d52cb36a1b04e6a9f34dde5170a571 Mon Sep 17 00:00:00 2001
From: Pierre Mauduit <pierre.mauduit@camptocamp.com>
Date: Wed, 27 May 2026 10:35:45 +0200
Subject: [PATCH 5/5] also go through XMLUtils for sensible defaults on
 DocumentBuilderFactory

---
 .../src/main/java/org/geowebcache/config/XMLConfiguration.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java b/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
index 6e0cb24cf..552e2d027 100644
--- a/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
+++ b/geowebcache/core/src/main/java/org/geowebcache/config/XMLConfiguration.java
@@ -614,7 +614,7 @@ private synchronized void addOrReplaceGridSet(final XMLGridSet gridSet) throws I
     static Node loadDocument(InputStream xmlFile) throws ConfigurationException, IOException {
         Node topNode = null;
         try {
-            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+            DocumentBuilderFactory docBuilderFactory = XMLUtils.newDocumentBuilderFactory();
             docBuilderFactory.setNamespaceAware(true);
             DocumentBuilder docBuilder = XMLUtils.newDocumentBuilder(docBuilderFactory);
             topNode = checkAndTransform(docBuilder.parse(xmlFile));