[
https://issues.apache.org/jira/browse/TIKA-3164?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17456772#comment-17456772
]
PJ Fanning commented on TIKA-3164:
----------------------------------
[~tallison] we try to set as many settings as possible to prevent the XML
parser or transformer from being susceptible to XXE issues and if a user's JAXP
setup loads implementations that are less safe then they could be susceptible
to XXE. From what I have seen, it will be unpopular for us to force uptake of
particular parser and transformer implementations. These days, xerces is not
regularly released and the forks of xerces that are built into the Java runtime
probably are safer. You could say the same for xalan. On the transformer side,
you have saxon as an alternative.
> Upgrade to POI 5.0.0 when available
> -----------------------------------
>
> Key: TIKA-3164
> URL: https://issues.apache.org/jira/browse/TIKA-3164
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
