You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by "Steve Jones (JIRA)" <xa...@xml.apache.org> on 2008/03/01 01:53:51 UTC
[jira] Created: (XALANJ-2435) Use of secure processing feature
should disable some output properties
Use of secure processing feature should disable some output properties
----------------------------------------------------------------------
Key: XALANJ-2435
URL: https://issues.apache.org/jira/browse/XALANJ-2435
Project: XalanJ2
Issue Type: Bug
Affects Versions: 2.7.1
Reporter: Steve Jones
When using the FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory it seems appropriate that the output properties:
{http://xml.apache.org/xalan}content-handler
{http://xml.apache.org/xalan}entities
{http://xml.apache.org/xslt}content-handler
{http://xml.apache.org/xslt}entities
should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
<xsl:output xalan:content-handler="org.example.BadClass" ...
<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org