You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fop-dev@xmlgraphics.apache.org by "Simon Steiner (Jira)" <ji...@apache.org> on 2022/08/01 09:56:00 UTC

[jira] [Commented] (FOP-3086) allow override of http://apache.org/xml/features/disallow-doctype-decl

    [ https://issues.apache.org/jira/browse/FOP-3086?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17573665#comment-17573665 ] 

Simon Steiner commented on FOP-3086:
------------------------------------

What about calling fop by using https://xmlgraphics.apache.org/fop/trunk/embedding.html

> allow override of http://apache.org/xml/features/disallow-doctype-decl
> ----------------------------------------------------------------------
>
>                 Key: FOP-3086
>                 URL: https://issues.apache.org/jira/browse/FOP-3086
>             Project: FOP
>          Issue Type: Improvement
>    Affects Versions: 2.7
>            Reporter: Greg Janée
>            Priority: Blocker
>
> In org.apache.fop.cli.InputHandler.getXMLReader, there is a call that is hard-coded to set SAX feature [http://apache.org/xml/features/disallow-doctype-decl] to true.  This breaks existing implementations (such as mine) that process libraries of templates that contain DOCTYPE declarations.  While I'm sure there was a reason for this change (security against rogue DOCTYPE contents I'm guessing), the risk doesn't apply for implementations that are processing internally-maintained templates and that are not processing templates coming in from the wild.  The request is to make this setting overrideable to false by some kind of FOP configuration parameter or environment variable.  As it is, this completely breaks FOP for my installation, and the only way I've been able to continue to run is to monkey-patch the JAR file.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)