You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@xalan.apache.org by "Steve Jones (JIRA)" <xa...@xml.apache.org> on 2008/03/01 01:53:51 UTC

[jira] Created: (XALANJ-2435) Use of secure processing feature should disable some output properties

Use of secure processing feature should disable some output properties
----------------------------------------------------------------------

                 Key: XALANJ-2435
                 URL: https://issues.apache.org/jira/browse/XALANJ-2435
             Project: XalanJ2
          Issue Type: Bug
    Affects Versions: 2.7.1
            Reporter: Steve Jones


When using the FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory it seems appropriate that the output properties:

  {http://xml.apache.org/xalan}content-handler 
  {http://xml.apache.org/xalan}entities
  {http://xml.apache.org/xslt}content-handler 
  {http://xml.apache.org/xslt}entities

should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)

These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.

   <xsl:output xalan:content-handler="org.example.BadClass" ...
   <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...

These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org