Usamak06 opened a new pull request, #1499: URL: https://github.com/apache/wicket/pull/1499
XsltTransformer.transform creates its TransformerFactory with external entity resolution still enabled, so a DOCTYPE in the markup being transformed can declare a SYSTEM entity and read local files off the server. The sibling XSLTResourceStream already guards against this, so I set the same FEATURE_SECURE_PROCESSING flag here. Added a regression test that feeds an external-entity payload through the transformer and checks the file contents are not returned. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
