Freeman Yue Fang created CAMEL-14501:
----------------------------------------
Summary: gain fully control of xml parser used by saxon
Key: CAMEL-14501
URL: https://issues.apache.org/jira/browse/CAMEL-14501
Project: Camel
Issue Type: Improvement
Components: camel-xslt
Environment: currently we can configure TransformerFactory used by
saxon by specifying features/attributes there. However, this can only take
effect on an XML parser that Saxon creates. It has no effect if camel
application creates the XML parser (that is, if the input is supplied to Saxon
as a Source object)
Per [saxon community discussion here|https://saxonica.plan.io/issues/2457m] ,
{code}
If you want detailed control over parsing, the best way is to create an
XMLReader yourself and supply it to Saxon within a SAXSource object.
{code}
So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if
saxonReaderProperties isn't null, create a XMLReader and specify features on
it, so that we can gain fully control of xml parsed used by saxon. This is
important to prevent XXE attack when using saxon to do xslt transform. Like by
disabling uri=http://xml.org/sax/features/external-general-entities"; to not
access sensitive local files.
Reporter: Freeman Yue Fang
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
