You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fop-dev@xmlgraphics.apache.org by "Graham Hadden (Jira)" <ji...@apache.org> on 2020/12/02 11:08:00 UTC

[jira] [Created] (FOP-2987) Allow FOP to set Batik blockExternalResources flag

Graham Hadden created FOP-2987:
----------------------------------

             Summary: Allow FOP to set Batik blockExternalResources flag
                 Key: FOP-2987
                 URL: https://issues.apache.org/jira/browse/FOP-2987
             Project: FOP
          Issue Type: New Feature
          Components: image/svg
            Reporter: Graham Hadden


Batik 1.13+ has a flag blockExternalResources to allow blocking of external resources in the xlink:href of SVGs (see https://issues.apache.org/jira/browse/BATIK-1276). 

However, there doesn't seem to be any way to set this flag within FOP which leaves the original SSRF security vulnerability open.

We would like to request that a new feature is added to FOP such that it's possible to set the Batik blockExternalResources flag via config. 

Thank you.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)