On Wed, 17 Apr 2024 23:24:06 GMT, Joe Wang <jo...@openjdk.org> wrote:
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Just some context here. The JDK has been on a path for many releases to make XML processing more secure by default. At some point there will be a proposal/JEP to flip the switch, something that may create an upgrade challenge for some applications and deployments that haven't embraced the various security features and configuration added over the last 10+ years. The addition of conf/jaxp-strict.properties allows deployments to test more the secure/strict behavior in preparation for a possible future where strict is the default. As examples: trying this out may help identify processing XML that (perhaps unknowingly) makes outbound network connections to fetch DTD, or processing XML that relies on extension functions. So I think very useful to have this configuration available in a shipping JDK but it may need a write-up/JEP before anyone knows about this. ------------- PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2063474370
