I took some time to review the Xalan portion of the JAXP 1.3 donation recently. Here is a summary of the issues I found during the review.
The DOMResult class in JAXP 1.3 has a new nextSibling attribute. If nextSibling is not null, the result nodes should be inserted before it. This behavior is not implemented in the Xalan interpretive and XSLTC processor. Both processors ignore the nextSibling attribute and the result nodes are appended as the last children of the container. The new TransformerFactory.setFeature(String, boolean) method supports the setting of the XMLConstants.FEATURE_SECURE_PROCESSING feature. However, both processors are not using this feature to provide any security measure for XSLT processing. Although the behavior for the secure processing feature is implementation dependent, users would expect a reference implementation to make use of it when reading the javadocs of the TransformerFactory.setFeature method. One of the proposed behavior is to disable the use of extension elements and extension functions when this feature is set to true. As mentioned in Michael's note ( http://marc.theaimsgroup.com/?l=xml-commons-dev&m=111401160803500&w=2), a few classes have compile or runtime dependencies on JRE 1.4. We have maintained a minimum runtime requirement of JDK 1.1.8 and compile time requirement of JDK 1.2 so far. It would be nice to eliminate the JDK 1.4 requirement if that is not necessary. There are other minor issues which are not listed here, as I believe they can be addressed at a later time. Regards, -- Morris Kwan
