On Thu, 16 May 2024 22:20:39 GMT, Joe Wang <jo...@openjdk.org> wrote:
>> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >>> jaxp-compat.properties: used to regain compatibility from any more >>> restricted configuration than previous versions such as JDK 22 >> >> Updated 5/16/2024 >> >> Design change: >> The design is changed to include in the JDK two configuration files that are >> the default jaxp.properties and jaxp-strict.properties, instead of three, >> dropping jaxp-compat.properties. > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > remove jaxp-compat.properties from the list src/java.xml/share/conf/jaxp-strict.properties line 9: > 7: # test the more secure/strict behavior, identify issues such as a processor > 8: # unknowingly makes outbound network connections to fetch DTD, or > processes XML > 9: # that relies on extension functions. There isn't a JEP to propose that XML processing be secure by default on the technical roadmap right now so I think this paragraph will need to be tweaked to avoid making any assumptions. I think just say that the file provides the settings for more secure XML processing and drop the text about testing (and "and create your own configuration file for the experiment" from the paragraph below). ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604405287
