You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@commons.apache.org by gg...@apache.org on 2023/03/20 12:46:56 UTC

[commons-jxpath] branch master updated: Document guarding for untrusted input

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-jxpath.git


The following commit(s) were added to refs/heads/master by this push:
     new 1e7dc69  Document guarding for untrusted input
1e7dc69 is described below

commit 1e7dc69b949394cfb045ee5c40b7ed6c337d7a81
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Mon Mar 20 08:46:52 2023 -0400

    Document guarding for untrusted input
---
 src/site/xdoc/index.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index d417df1..eba8bd9 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -20,7 +20,6 @@
       <title>JXPath Home</title>
       <author email="dev@commons.apache.org">Commons Documentation Team</author>
       <author email="dmitri@apache.org">Dmitri Plotnikov</author>
-      <revision>$Id$</revision>
    </properties>
 
    <body>
@@ -72,6 +71,11 @@ while (it.hasNext()){
             for those who work with mixtures of Java objects and XML and need to frequently
             traverse through graphs of those.
           </p>
+          <p>
+            Some XPath expressions may cause Java code execution, so you should not allow arbitrary expressions from untrusted input, 
+            which could in turn lead to security issues in your environment. Future enhancements may include the addition of an allow 
+            list to let developers provide a stricter execution environment for expressions.
+          </p>
           <p>
             JXPath documentation currently contains:
             <ul>