You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jb...@apache.org on 2015/02/10 17:44:00 UTC

svn commit: r1658757 - in /tomcat/taglibs/standard/trunk: CHANGES.txt README_bin.txt

Author: jboynes
Date: Tue Feb 10 16:43:59 2015
New Revision: 1658757

URL: http://svn.apache.org/r1658757
Log:
Update changes and docs

Modified:
    tomcat/taglibs/standard/trunk/CHANGES.txt
    tomcat/taglibs/standard/trunk/README_bin.txt

Modified: tomcat/taglibs/standard/trunk/CHANGES.txt
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/CHANGES.txt?rev=1658757&r1=1658756&r2=1658757&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/CHANGES.txt (original)
+++ tomcat/taglibs/standard/trunk/CHANGES.txt Tue Feb 10 16:43:59 2015
@@ -5,6 +5,11 @@ Changes in 1.2.3 release
 57548 Update library version number printed by Version class
 57547 Fix regression with running on older JREs
 
+XML tags now enable FEATURE_SECURE_PROCESSING when parsing and transforming. The JSTL-specific
+EntityResolver also checks the protocol being used against a white-list specified in the system
+property org.apache.taglibs.standard.xml.accessExternalEntity in to order to limit access on
+older JREs.
+
 Changes in 1.2.2 release [WITHDRAWN due to regressions in older JREs]
 
 57433 Double-check locking in ExpressionEvaluatorManager

Modified: tomcat/taglibs/standard/trunk/README_bin.txt
URL: http://svn.apache.org/viewvc/tomcat/taglibs/standard/trunk/README_bin.txt?rev=1658757&r1=1658756&r2=1658757&view=diff
==============================================================================
--- tomcat/taglibs/standard/trunk/README_bin.txt (original)
+++ tomcat/taglibs/standard/trunk/README_bin.txt Tue Feb 10 16:43:59 2015
@@ -88,9 +88,16 @@ The JSTL tag library can be imported int
 ---------------------------------------------------------------------------
 COMPATIBILITY
 
-The 1.2 version of the Standard Taglib has been tested under Tomcat 7.0.47
+The 1.2 version of the Standard Taglib has been tested using Tomcat 7.0.57
 and should work in any compliant JSP 2.1 (or later) container.
 
+In version 1.2.3 and later, the XML libraries enable FEATURE_SECURE_PROCESSING
+when parsing and transforming. A new system property
+  org.apache.taglibs.standard.xml.accessExternalEntity
+can be used to further restrict the protocols over which external entities can
+be resolved. When a SecurityManager is enabled this will, by default, allow
+access to no protocols.
+
 ---------------------------------------------------------------------------
 COMMENTS AND QUESTIONS
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org