[
https://issues.apache.org/jira/browse/XALANJ-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Lyons updated XALANJ-2591:
-------------------------------
Attachment: XSLTElementProcessor.patch
Attached is a possible patch that changes this behavior.
It is being contributed as a "small bugfix" per section 7.4 of the Xalan-J
charter. The patch was created by me. My employer, CA Technologies, has
approved contribution of this patch to the Xalan-J project. I'm not aware of
any third-party licenses or other restrictions that could apply to this patch.
This patch changes XSLTElementProcessor to:
* Permit namespace declaration attributes in secure processing mode
* Permit foreign attributes in secure processing mode if not from a list of
special namespaces
* Permit secure processing foreign attribute restrictions to be disabled
completely with a system property
The patch is likely not ideal for Xalan-J in its raw form.
h4. Permit namespace declaration attributes in secure processing mode
Namespace declarations bypass foreign attribute restrictions.
Foreign attributes will be allowed if they are global attributes in one of the
following namespace URIs:
http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/
A preexisting hack (commented as "for Crimson. -sb") sets the first of these
namespaces if the attribute qname is "xmlns" or starts with "xmlns:".
The intent of this change is to allow stylesheets input via DOMSource to
function. Without it (or some other fix), namespace declarations hit the
attribute processor and fail the foreign attributes check. (A work-around for
this issue is to use a StreamSource instead.)
h4. Permit foreign attributes in secure processing mode if not from a list of
special namespaces
Element literal results will bypass the foreign attribute check if they avoid
possibly-problematic namespaces.
Foreign attributes will be permitted in secure processing mode as long as the
attribute is not a global attribute in one of the following namespace URIs:
* http://xml.apache.org/xalan
* http://xml.apache.org/xslt
* http://icl.com/saxon
* http://www.w3.org/1999/XSL/Transform
and the element containing the attribute is an element literal result and is
not in one of the above namespaces.
The intent of this change is to allow attributes to be emitted by stylesheets
in secure mode. Without it (or some other fix), it would (apparently) not be
possible to (for example) have a stylesheet that emits an XHTML output result
(because Xalan would have rejected any attributes on any XHTML elements).
h4. Permit secure processing foreign attribute restrictions to be disabled
completely with a system property
The system property
"com.l7tech.org.apache.xalan.processor.allowAttributesInSecureMode" can be set
to "true" to disable the foreign attribute restrictions in secure mode that
were added in Xalan 2.7.2.
Enabling this may permit insecure use of the content-handler and entities
attributes and should be avoided except as a last resort on systems that do not
need to execute stylesheets from untrusted sources.
The intent of this change is to have a last-ditch fallback resort for existing
systems that use secure mode and can't be made to work with the default
behavior.
Possibly this part of the patch should not be included in Xalan-J. If it is,
the system property should probably be renamed.
> Transform XSLT using Xalan into XHTML fails with secure processing feature
> when using attributes
> ------------------------------------------------------------------------------------------------
>
> Key: XALANJ-2591
> URL: https://issues.apache.org/jira/browse/XALANJ-2591
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in
> Xalan projects. Anybody can view the issue.)
> Components: transformation, Xalan
> Affects Versions: 2.7.2
> Reporter: Victor Kazakov
> Assignee: Steven J. Hathaway
> Attachments: XSLTElementProcessor.patch
>
>
> I'm trying to use the updated version of Xalan (2.7.2) in secure mode and
> having issue with it not able to understand unknown attributes. The problem
> is, it prevents you from using any stylesheet that emits XHTML (in secure
> processing mode) because it disallows things like “colspan” attributes of
> “th” elements.
> The associated changed file is here:
> http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
> See the following example:
> {code:java}
> import javax.xml.XMLConstants;
> import javax.xml.transform.*;
> import javax.xml.transform.stream.StreamSource;
> import java.io.StringReader;
> public class XalanSecureAttributeRepro {
> private static final String XSL =
> "<xsl:stylesheet version=\"1.0\"
> xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\";>\n" +
> " <xsl:output method=\"html\"/>\n" +
> " <xsl:template match=\"/*\">\n" +
> " <th colspan=\"2\"/>\n" +
> " </xsl:template>\n" +
> "</xsl:stylesheet>";
> public static void main( String[] args ) throws Exception {
> System.setProperty( "javax.xml.transform.TransformerFactory",
> "org.apache.xalan.processor.TransformerFactoryImpl" );
> TransformerFactory tf = TransformerFactory.newInstance();
> tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
> tf.setErrorListener( new DefaultErrorHandler( true ) );
> final Source source = new StreamSource( new StringReader( XSL ) );
> Templates templates = tf.newTemplates( source ); // throws:
> // TransformerException: "colspan" attribute is not
> allowed on the th element!
> }
> }
> {code}
> It returns this error:
> {code}
> Exception in thread "main"
> javax.xml.transform.TransformerConfigurationException:
> javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan"
> attribute is not allowed on the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed
> on the th element!
> at
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
> at
> com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
> Caused by: javax.xml.transform.TransformerException:
> org.xml.sax.SAXException: "colspan" attribute is not allowed on the th
> element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed
> on the th element!
> at
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
> ... 6 more
> Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on
> the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed
> on the th element!
> at
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
> at
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
> at
> org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
> at
> org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
> at
> org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
> at
> org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
> at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown
> Source)
> at
> org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
> Source)
> at
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
> ... 6 more
> Caused by: javax.xml.transform.TransformerException: "colspan" attribute is
> not allowed on the th element!
> at
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
> ... 22 more
> {code}
> This worked properly in 2.7.1
> Am I missing setting a feature on the transformer factory. How would you
> transform a stylesheet that emits (X)HTML in secure processing mode using
> Xalan?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
