I still see teams stumble on XML because they treat it like plain text or assume a streaming parser is always the answer. That mistake shows up when the XML turns into a living document you need to inspect, reshape, or rewrite in place. The DOM parser is the tool I reach for when I need a full, in-memory tree I can walk, edit, and persist. It is not the lightest approach, but it is the most predictable when structure matters and the document size is reasonable.
If you are dealing with catalogs, configuration bundles, integration payloads that you must adjust, or XML you must validate and then enrich, DOM is the workhorse. It gives you an object model that mirrors the XML hierarchy and it plays nicely with Java’s standard APIs. I am going to show how I approach DOM parsing in modern Java, with secure defaults, readable traversal, and practical editing. I will also call out the situations where DOM is the wrong choice and give you simple ways to avoid common mistakes that slow teams down or expose them to security risks.
The DOM mental model I rely on
When I think about DOM, I picture a tree where every XML element, attribute, and text node has a place. The root of that tree is the Document, and every other piece of the XML hangs off it as a Node. That model is surprisingly useful because it forces clarity: each node has a type, a name, and a set of relationships. Once you understand those relationships, you can move across the tree like you would in a filesystem.
I also treat DOM as a living snapshot. The parser reads the entire document into memory. From that point on, I can modify nodes, add elements, remove elements, and even reorder parts of the tree. The DOM API feels verbose at first, but it is consistent. You ask for children, you inspect attributes, you read or change text content, and you write the tree back to disk or to a stream. That simplicity is why DOM still matters in 2026, even with JSON and streaming parsers everywhere.
A small analogy I use with new teammates: a DOM tree is like a structured whiteboard where each element is a sticky note. You can move notes around, write new notes, or erase old ones. With a stream parser, the notes fly by you on a conveyor belt. That makes the tree model slower for huge inputs, but far easier when your work requires edits or cross-references.
When I choose DOM and when I avoid it
I reach for DOM when I need full visibility into the document and I expect edits. If I need to merge two XML documents, normalize a data set, or generate an output where I must reorder nodes, DOM is the simplest approach. I also prefer DOM when I have to run multiple queries against the same document and I want random access without reparsing.
I avoid DOM when the document is huge or when I only need a small subset of data. If the XML can be hundreds of megabytes, a streaming parser is usually a better fit because it avoids loading everything into memory. Likewise, if the task is a single pass, and I do not need to modify the content, SAX or StAX is the more sensible option.
Here is a direct comparison I use during architectural reviews:
Traditional approach
—
DOM with direct tree edits
SAX
DOM with NodeList and XPath
DOM + Schema validation
That table is not a “pros and cons” debate. It is a map of what I actually choose for real projects. When your requirements match the left column, I pick the modern approach on the right.
Building a secure, modern DOM parse pipeline
In 2026, I treat secure defaults as a requirement. XML parsers can be tricked into resolving external entities or loading untrusted content. That is a real risk in services that parse XML from third parties. The following example sets safe features up front, parses XML from a string, and gives you a DOM you can edit. It is a full, runnable example with a main method.
import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.InputSource;
public class DomParserDemo {
public static void main(String[] args) throws Exception {
String xml = """
Practical Java XML
39.95
Systems Integration
49.50
""";
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
factory.setFeature(XMLConstants.FEATURESECUREPROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xml)));
doc.getDocumentElement().normalize();
Element root = doc.getDocumentElement();
System.out.println("Root element: " + root.getTagName());
System.out.println("Book count: " + doc.getElementsByTagName("book").getLength());
}
}
I set FEATURESECUREPROCESSING and disable external entities. Those settings block the most common XML entity attacks. I also turn off XInclude support and entity expansion, because I rarely need them in production systems that process untrusted content. If you do need external entities, you should gate them behind strict allowlists and run them in a controlled environment.
Working with nodes: traversal, searching, and updates
Once the document is in memory, I keep my code readable by using small helper functions. DOM is verbose by nature, so clarity matters more than minimizing lines of code. The example below extends the previous XML and performs three common tasks: find specific elements, update a value, and add a new element. It also writes the updated XML back out, which is essential when DOM is part of a transformation pipeline.
import java.io.StringReader;
import java.io.StringWriter;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.InputSource;
public class DomEditDemo {
public static void main(String[] args) throws Exception {
String xml = """
Practical Java XML
39.95
Systems Integration
49.50
""";
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setFeature(XMLConstants.FEATURESECUREPROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xml)));
doc.getDocumentElement().normalize();
// Update the price of a specific book
NodeList books = doc.getElementsByTagName("book");
for (int i = 0; i < books.getLength(); i++) {
Element book = (Element) books.item(i);
if ("bk102".equals(book.getAttribute("id"))) {
Element price = (Element) book.getElementsByTagName("price").item(0);
price.setTextContent("44.00");
}
}
// Add a new book
Element newBook = doc.createElement("book");
newBook.setAttribute("id", "bk103");
Element title = doc.createElement("title");
title.setTextContent("Distributed Systems Field Guide");
Element price = doc.createElement("price");
price.setAttribute("currency", "USD");
price.setTextContent("52.00");
newBook.appendChild(title);
newBook.appendChild(price);
doc.getDocumentElement().appendChild(newBook);
// Serialize the updated document
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
StringWriter out = new StringWriter();
transformer.transform(new DOMSource(doc), new StreamResult(out));
System.out.println(out.toString());
}
}
This is the kind of code I ship. It is direct, testable, and easy to read. I avoid heavy reflection or custom node wrappers unless the domain really demands it. DOM is already an object model; do not make it harder than it needs to be.
Validation, namespaces, and schema-aware parsing
If you care about correctness, validation is not optional. I validate whenever the XML is user-controlled, third-party, or used to drive behavior. A schema prevents bad data from creeping into your pipeline and gives you a predictable structure. In DOM, I typically validate during parse time by attaching a schema to the DocumentBuilderFactory.
Namespace handling is equally important. Modern XML almost always uses namespaces, and ignoring them leads to confusing bugs where getElementsByTagName silently misses the nodes you want. I always set setNamespaceAware(true) and then use getElementsByTagNameNS when a namespace is involved.
A schema-aware parse looks like this in practice:
import java.io.StringReader;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
public class DomSchemaDemo {
public static void main(String[] args) throws Exception {
String xml = """
Practical Java XML
39.95
""";
SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3CXMLSCHEMANSURI);
Schema schema = schemaFactory.newSchema(new java.io.File("catalog.xsd"));
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setSchema(schema);
factory.setFeature(XMLConstants.FEATURESECUREPROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xml)));
System.out.println(doc.getDocumentElement().getLocalName());
}
}
Notice the namespace declaration in the XML and the schema hookup. This is the path I take when I want strong guarantees. If the schema fails, I want it to fail fast before any logic touches the data.
In 2026, I also pair schema validation with automated checks in CI. A small test that runs schema validation against sample XML catches contract drift early. AI assistants help generate new sample payloads and keep them aligned with your schema, but I still keep a human review loop to avoid subtle mismatches.
Performance, memory, and large-document strategies
DOM is not a free lunch. It holds the entire document in memory and each node carries overhead. For small to mid-sized XML, that is fine. In my experience, a few hundred kilobytes to a few megabytes is usually comfortable, and parse times are typically in the 10–30ms range on modern machines. Once you climb into tens of megabytes, memory usage can jump fast and parse times often land in the hundreds of milliseconds.
When I must stick with DOM on larger documents, I do three things. First, I keep the document as small as possible by removing unused namespaces or redundant data at the source. Second, I avoid getElementsByTagName across the whole document in tight loops, because it scans large parts of the tree. I either cache results or navigate from known parent nodes. Third, I serialize only when I need to, and I avoid repeated transforms in a loop.
If a document is truly massive, I move to StAX for the initial parse and only build a DOM subtree for the portion that needs edits. That hybrid approach lets you keep memory flat while still benefiting from the DOM object model where it matters.
Common mistakes I still see (and how I avoid them)
I still see the same issues in code reviews and production outages, so I keep a checklist in my head:
- Skipping secure parser features. If you parse untrusted XML without blocking external entities, you are creating a risk. I always set the secure features first.
- Ignoring namespaces. If the XML uses a default namespace and you call
getElementsByTagName, you will get empty results. I always enable namespace awareness and use namespace-aware queries. - Treating whitespace as data. DOM keeps text nodes for whitespace between elements. If you are iterating children, you must filter node types or call
normalizeand then usegetElementsByTagName. - Mixing read and write logic in a single loop. I separate traversal from mutation whenever possible. That makes the code easier to test and reduces surprises.
I will add a few more pitfalls that keep showing up:
- Not handling
NullPointerExceptionfromitem(0)lookups. If a tag is missing,item(0)returnsnull. I always guard lookups or wrap them in helper methods that return optional values. - Misusing
getTextContent()on elements with nested tags.getTextContent()returns concatenated text from all descendants. If you only want direct text, you must iterate child nodes and filter forNode.TEXT_NODE. - Forgetting to set encoding when writing output. If your XML contains non-ASCII characters, set the output encoding explicitly or you may get inconsistent results across environments.
- Creating elements in the wrong document. Nodes belong to the document that created them. If you are merging documents, you must
importNodeinto the target document first.
These are not academic errors. I have seen real data corruption and broken integrations from each of them.
Helper methods I actually use
The DOM API is low level. I rarely use it raw in production code. Instead, I create a small utility class per project with a few safe helper methods. These are not frameworks; they are just guardrails to keep the code clean and consistent.
Here is a compact example of helpers that I reuse across projects:
import org.w3c.dom.*;
public final class DomHelpers {
private DomHelpers() {}
public static Element firstChildElement(Element parent, String tagName) {
NodeList list = parent.getElementsByTagName(tagName);
if (list.getLength() == 0) return null;
return (Element) list.item(0);
}
public static String attr(Element element, String name, String defaultValue) {
if (element == null) return defaultValue;
String value = element.getAttribute(name);
return value == null || value.isBlank() ? defaultValue : value;
}
public static String text(Element element, String defaultValue) {
if (element == null) return defaultValue;
String value = element.getTextContent();
return value == null || value.isBlank() ? defaultValue : value.trim();
}
public static Element append(Element parent, String name, String textContent) {
Document doc = parent.getOwnerDocument();
Element child = doc.createElement(name);
if (textContent != null) {
child.setTextContent(textContent);
}
parent.appendChild(child);
return child;
}
}
With helpers like these, my parsing logic becomes much easier to read. I keep helpers minimal and focused: they should reduce boilerplate, not hide important behavior.
Namespace-aware traversal that does not surprise you
Namespaces are where DOM beginners lose time. The trouble is not the namespace itself; it is the mismatch between local names and qualified names. I keep a few rules that save me from confusion:
- Always parse with
setNamespaceAware(true)when the XML is not fully under my control. - Use
getElementsByTagNameNSwhen a default namespace is present. - If you need to work with multiple namespaces, define constants for their URIs and do not inline them in code.
Here is a simple, namespace-aware search example:
String NS = "http://example.com/catalog";
Element root = doc.getDocumentElement();
NodeList books = root.getElementsByTagNameNS(NS, "book");
for (int i = 0; i < books.getLength(); i++) {
Element book = (Element) books.item(i);
String id = book.getAttribute("id");
Element title = (Element) book.getElementsByTagNameNS(NS, "title").item(0);
System.out.println(id + " -> " + title.getTextContent());
}
If you are working with prefixed namespaces, the URI remains the source of truth. Prefixes can change. URIs should not. That rule alone eliminates a lot of fragile code.
Editing patterns: insert, delete, move, merge
DOM editing is where you get real leverage. But you need to be deliberate about how you do it. The three patterns I rely on most are insert, delete, and move.
Insert
Insert is straightforward. You create a node and append it. I prefer to keep the order explicit. If the document has a fixed ordering, insert relative to known siblings instead of blindly appending.
Element catalog = doc.getDocumentElement();
Element newBook = doc.createElement("book");
newBook.setAttribute("id", "bk104");
DomHelpers.append(newBook, "title", "XML Integration Patterns");
DomHelpers.append(newBook, "price", "58.00");
catalog.appendChild(newBook);
Delete
Delete is a matter of removing a child from its parent. The gotcha is that NodeList is live; if you mutate while iterating, indexes can shift. I often collect nodes first, then remove them in a second pass.
NodeList books = doc.getElementsByTagName("book");
java.util.List toRemove = new java.util.ArrayList();
for (int i = 0; i < books.getLength(); i++) {
Element book = (Element) books.item(i);
if ("deprecated".equals(book.getAttribute("status"))) {
toRemove.add(book);
}
}
for (Element book : toRemove) {
book.getParentNode().removeChild(book);
}
Move
Moving is just remove + append, but you should be careful to preserve order and prevent accidental duplication. I usually move within the same document, but when moving between documents, use importNode.
Element source = (Element) doc.getElementsByTagName("archived").item(0);
Element target = (Element) doc.getElementsByTagName("active").item(0);
Element bookToMove = (Element) source.getElementsByTagName("book").item(0);
source.removeChild(bookToMove);
target.appendChild(bookToMove);
Merge two documents
This is a pattern I use for configuration overlays or merging catalogs from two systems. The trick is to import nodes from one document into the other.
Document base = builder.parse(new InputSource(new StringReader(baseXml)));
Document overlay = builder.parse(new InputSource(new StringReader(overlayXml)));
NodeList overlayBooks = overlay.getElementsByTagName("book");
Element baseRoot = base.getDocumentElement();
for (int i = 0; i < overlayBooks.getLength(); i++) {
Node imported = base.importNode(overlayBooks.item(i), true);
baseRoot.appendChild(imported);
}
I keep merge logic explicit and domain-driven. If you need de-duplication, treat IDs as primary keys and replace or merge based on those rules.
XPath in a DOM workflow: powerful but optional
I use XPath when the tree is complex and the query is declarative. But I do not use it everywhere because it can hide intent and be slower if overused. A practical approach is to use XPath for discovery and DOM for mutation.
Here is a small XPath example for selecting a subset of nodes:
import javax.xml.xpath.*;
import org.w3c.dom.*;
XPathFactory xpf = XPathFactory.newInstance();
XPath xpath = xpf.newXPath();
XPathExpression expr = xpath.compile("/catalog/book[price > 40.00]");
NodeList result = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);
for (int i = 0; i < result.getLength(); i++) {
Element book = (Element) result.item(i);
System.out.println(book.getAttribute("id"));
}
I precompile XPath expressions if I run them repeatedly. And I keep XPath queries short and readable. If a query gets too complex, I split it into a DOM traversal for clarity.
Error handling that is actually helpful
DOM parsing throws exceptions for many reasons: malformed XML, schema mismatch, IO issues, or security constraints. If you just throw Exception, you bury signal. I prefer to capture errors with enough context to make them actionable.
Here is a pattern I use for service code:
try {
Document doc = builder.parse(inputSource);
// normal processing
} catch (org.xml.sax.SAXParseException e) {
throw new IllegalArgumentException(
"Invalid XML at line " + e.getLineNumber() + ", column " + e.getColumnNumber(), e);
} catch (org.xml.sax.SAXException e) {
throw new IllegalArgumentException("Invalid XML content", e);
}
The line and column are incredibly useful when you debug customer payloads or CI fixtures. I keep these details in logs, not in user-facing errors.
Practical scenario: adjusting integration payloads
A realistic use case is a system that receives XML payloads from upstream partners and needs to enforce defaults or enrich missing values. Here is a compact example of how I do that.
The input might look like this:
24512
Jordan Smith
129.99
I often need to enforce a missing element and normalize currency attributes. DOM makes this easy:
Element order = doc.getDocumentElement();
Element source = DomHelpers.firstChildElement(order, "source");
if (source == null) {
source = DomHelpers.append(order, "source", "partner-x");
}
Element total = DomHelpers.firstChildElement(order, "total");
if (total != null) {
String currency = total.getAttribute("currency");
if (currency == null || currency.isBlank()) {
total.setAttribute("currency", "USD");
}
}
This is a small edit, but it is representative of the kind of payload normalization that DOM is great at.
Practical scenario: configuration overlays
Another common pattern is merging a base configuration with an environment-specific overlay. XML is still used for this in legacy systems and some enterprise platforms.
I keep the logic simple: load base and overlay, then for each overlay node, replace or append in base based on a unique key.
Element baseRoot = base.getDocumentElement();
NodeList overlayEntries = overlay.getElementsByTagName("entry");
for (int i = 0; i < overlayEntries.getLength(); i++) {
Element overlayEntry = (Element) overlayEntries.item(i);
String key = overlayEntry.getAttribute("key");
Element target = null;
NodeList baseEntries = baseRoot.getElementsByTagName("entry");
for (int j = 0; j < baseEntries.getLength(); j++) {
Element candidate = (Element) baseEntries.item(j);
if (key.equals(candidate.getAttribute("key"))) {
target = candidate;
break;
}
}
if (target != null) {
baseRoot.replaceChild(base.importNode(overlayEntry, true), target);
} else {
baseRoot.appendChild(base.importNode(overlayEntry, true));
}
}
This is not the most elegant algorithm, but it is transparent and easy to test. When performance matters, I create a map from key to element first. DOM is flexible enough to support both styles.
Edge cases that break naive DOM code
DOM is forgiving, but it will not save you from logic errors. Here are edge cases I keep in mind:
- Mixed content: Elements can contain both text and child elements. If you call
getTextContent(), you might accidentally capture unrelated text. This matters in documents like XHTML or complex schemas. - Attributes vs child elements: Some schemas encode values as attributes, others as elements. Make sure you know which is required before you write transformation logic.
- Optional elements: A missing element does not throw an error. Your code must handle nulls gracefully.
- Duplicate keys: It is common to see documents with repeated IDs or keys when upstream systems are inconsistent. Decide how you handle that: first wins, last wins, or error.
- Whitespace-only nodes: When you iterate child nodes, you may see
#textnodes with whitespace. Filter byNode.ELEMENT_NODEunless you intentionally need text nodes.
If you handle these edge cases well, your DOM code becomes robust and much easier to maintain.
Serialization done right
Writing XML back out is a critical step in many workflows. I use Transformer for simple cases, but I tune a few properties to avoid surprises.
- Set
OutputKeys.INDENTtoyesfor human-readable XML. - Use the Apache indent property if you want consistent indentation.
- Specify encoding explicitly if non-ASCII characters are expected.
Here is my standard serialization configuration:
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
One thing to know: not all transformer implementations honor indentation the same way. If you need canonical XML or strict formatting, consider a canonicalization step or a dedicated serializer.
Security deep dive: more than just XXE
Most teams know about XXE, but there are other XML risks to be aware of:
- Billion laughs attacks: Entity expansion can explode memory usage. Disabling entity expansion prevents this.
- External DTD retrieval: Attackers can force your parser to fetch external resources. Disable DOCTYPE declarations.
- XInclude attacks: XInclude can pull in external content. Turn it off unless you explicitly need it.
My default configuration is restrictive. If I ever allow external access, I keep it behind explicit, documented allowlists and strict network controls. I also include these restrictions in unit tests, so regression is caught quickly.
DOM vs StAX: a practical hybrid
Sometimes a pure DOM approach is wasteful, but pure streaming is painful. A hybrid strategy is often the most pragmatic:
- Use StAX to scan and filter large XML documents.
- Build a DOM subtree for the portion that needs edits or validation.
- Serialize the edited subtree or reintegrate it with streaming output.
This gives you the best of both worlds: memory efficiency and mutation capability. I only recommend this when the document is large and the edits are localized. For small documents, the complexity is not worth it.
Testing strategies that keep XML honest
DOM code is easy to test because it is deterministic. I focus on tests that validate structure and value changes, not just string equality.
- Parse input XML and assert on node values and attributes.
- After transformation, parse the output XML and assert on the new structure.
- For schema-based systems, include at least one test that validates against the XSD.
Here is a minimal pattern I use in JUnit:
Document doc = builder.parse(new InputSource(new StringReader(xml)));
Element root = doc.getDocumentElement();
assertEquals("catalog", root.getTagName());
assertEquals(2, doc.getElementsByTagName("book").getLength());
I keep tests simple and focused. If XML is a contract between systems, tests are the cheapest insurance you have.
Modern tooling and AI-assisted workflows
I still rely on standard Java APIs for parsing, but my workflow is more automated in 2026. AI assistants help generate sample XML payloads or translate schemas into test fixtures. The key is to keep these artifacts under review so they do not drift from the real contract.
For team workflows, I recommend:
- A small script or task that validates XML samples against the schema in CI.
- A lint-like check that enforces secure parser settings in codebases that handle XML.
- A guideline document that states when DOM is allowed and when streaming should be used.
These are low-effort, high-value additions that prevent recurring mistakes.
Practical performance guidelines I share with teams
Performance is not just a technical detail; it is a team habit. When I coach developers, I give them a few simple rules:
- If the XML is below a few megabytes and you need edits, DOM is fine.
- If the XML is tens of megabytes or more, measure memory use early and consider streaming.
- Avoid repeated
getElementsByTagNameacross the whole document. Cache or navigate from a known parent. - Do not serialize repeatedly in loops. Batch changes and serialize once.
These heuristics are not perfect, but they prevent 90% of performance surprises.
A realistic end-to-end DOM pipeline
To bring it together, here is an end-to-end sketch of how a service might parse, validate, mutate, and emit XML safely. This is not a full application, but it shows the shape of production code.
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
factory.setFeature(XMLConstants.FEATURESECUREPROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setSchema(schema); // optional
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(inputSource);
Element root = doc.getDocumentElement();
root.normalize();
// Transform
Element price = (Element) root.getElementsByTagName("price").item(0);
if (price != null && price.getAttribute("currency").isBlank()) {
price.setAttribute("currency", "USD");
}
// Serialize
Transformer transformer = TransformerFactory.newInstance().newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8");
transformer.transform(new DOMSource(doc), new StreamResult(outputStream));
This is the core pattern I build on. It is simple, it scales to many use cases, and it is easy to test.
Alternative approaches that still complement DOM
DOM is not the only game in town. Sometimes an alternative is more appropriate, and I think it is healthy to say that out loud.
- JAXB or other binding libraries: Great when you want typed objects and can control the schema. Less great for partial edits or mixed content.
- StAX: Excellent for streaming reads and writes. Ideal for very large documents or pass-through transformations.
- XSLT: Powerful for document transformations, especially when the transformation is purely declarative. I still reach for DOM when I need procedural logic or integration with Java services.
I do not think of these as competitors. I think of them as a toolbox. DOM is the adjustable wrench; it is not always the best, but it is the one that can solve most problems if you use it carefully.
Final checklist I keep on my desk
Before I ship DOM parsing code, I run through a simple checklist. It has saved me more than once:
- Secure parser features enabled and tested.
- Namespace awareness on when needed.
- Schema validation in place if the XML is a contract.
- Helper methods or clear null guards for optional elements.
- Serialization configured with explicit encoding.
- At least one unit test covering the transformation.
If all of those are true, I feel confident the XML pipeline will behave well in production.
Closing thoughts
DOM is not flashy, but it is dependable. It shines when you need to understand and change XML, not just read it. The key is to accept its tradeoffs and to offset them with good practices: secure defaults, careful traversal, and simple helper methods. When you do that, DOM becomes a steady foundation for integration work, configuration management, and data transformations.
If I had to summarize my approach in one line, it would be this: I use DOM when I need control, I guard it with security, and I keep the code clear enough that future me will not hate it.
