JAR File's config.xml
A JAR file could contain a configuration file that will override the default configuration of a ZK application. The file must be named as
config.xml and placed under the
/metainfo/zk directory. Of course, the configuration specified in
WEB-INF/zk.xml has higher priority. It will override the configuration specified in
By use of
config.xml, a JAR file could change the default configuration without a user's notice, such as adding a desktop listener, setting a library property, and so on. For more information, please refer to ZK Developer's Reference: Packing Code.
Starting from ZK 10, the xml parser used by ZK declares
disallow-doctype-decl to true.
This prevents the use of DOCTYPE declaration in xml files, such as zk.xml, lang-addon.xml, config. xml, etc.
This is a security measure to prevent XXE attacks using
<!DOCTYPE ...> as vector.