You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by gg...@apache.org on 2023/03/20 12:46:56 UTC
[commons-jxpath] branch master updated: Document guarding for untrusted input
This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-jxpath.git
The following commit(s) were added to refs/heads/master by this push:
new 1e7dc69 Document guarding for untrusted input
1e7dc69 is described below
commit 1e7dc69b949394cfb045ee5c40b7ed6c337d7a81
Author: Gary Gregory <ga...@gmail.com>
AuthorDate: Mon Mar 20 08:46:52 2023 -0400
Document guarding for untrusted input
---
src/site/xdoc/index.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index d417df1..eba8bd9 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -20,7 +20,6 @@
<title>JXPath Home</title>
<author email="dev@commons.apache.org">Commons Documentation Team</author>
<author email="dmitri@apache.org">Dmitri Plotnikov</author>
- <revision>$Id$</revision>
</properties>
<body>
@@ -72,6 +71,11 @@ while (it.hasNext()){
for those who work with mixtures of Java objects and XML and need to frequently
traverse through graphs of those.
</p>
+ <p>
+ Some XPath expressions may cause Java code execution, so you should not allow arbitrary expressions from untrusted input,
+ which could in turn lead to security issues in your environment. Future enhancements may include the addition of an allow
+ list to let developers provide a stricter execution environment for expressions.
+ </p>
<p>
JXPath documentation currently contains:
<ul>