Victor Kazakov created XALANJ-2591:
--------------------------------------
Summary: Transform XSLT using Xalan into XHTML fails with secure
processing feature when using attributes
Key: XALANJ-2591
URL: https://issues.apache.org/jira/browse/XALANJ-2591
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone (Ordinary problems in
Xalan projects. Anybody can view the issue.)
Components: transformation, Xalan
Affects Versions: 2.7.2
Reporter: Victor Kazakov
Assignee: Steven J. Hathaway
I'm trying to use the updated version of Xalan (2.7.2) in secure mode and
having issue with it not able to understand unknown attributes. The problem is,
it prevents you from using any stylesheet that emits XHTML (in secure
processing mode) because it disallows things like “colspan” attributes of “th”
elements.
The associated changed file is here:
http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
See the following example:
{code:java}
import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
public class XalanSecureAttributeRepro {
private static final String XSL =
"<xsl:stylesheet version=\"1.0\"
xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\";>\n" +
" <xsl:output method=\"html\"/>\n" +
" <xsl:template match=\"/*\">\n" +
" <th colspan=\"2\"/>\n" +
" </xsl:template>\n" +
"</xsl:stylesheet>";
public static void main( String[] args ) throws Exception {
System.setProperty( "javax.xml.transform.TransformerFactory",
"org.apache.xalan.processor.TransformerFactoryImpl" );
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setErrorListener( new DefaultErrorHandler( true ) );
final Source source = new StreamSource( new StringReader( XSL ) );
Templates templates = tf.newTemplates( source ); // throws:
// TransformerException: "colspan" attribute is not
allowed on the th element!
}
}
{code}
It returns this error:
{code}
Exception in thread "main"
javax.xml.transform.TransformerConfigurationException:
javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan"
attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on
the th element!
at
org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
at
com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException:
"colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on
the th element!
at
org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the
th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on
the th element!
at
org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
at
org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
at
org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
at
org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
at
org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
at
org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown
Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at
org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not
allowed on the th element!
at
org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
... 22 more
{code}
This worked properly in 2.7.1
Am I missing setting a feature on the transformer factory. How would you
transform a stylesheet that emits (X)HTML in secure processing mode using Xalan?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
