Usamak06 opened a new pull request, #1499:
URL: https://github.com/apache/wicket/pull/1499

   XsltTransformer.transform creates its TransformerFactory with external 
entity resolution still enabled, so a DOCTYPE in the markup being transformed 
can declare a SYSTEM entity and read local files off the server. The sibling 
XSLTResourceStream already guards against this, so I set the same 
FEATURE_SECURE_PROCESSING flag here. Added a regression test that feeds an 
external-entity payload through the transformer and checks the file contents 
are not returned.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to