[
https://issues.apache.org/jira/browse/CAMEL-14501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Freeman Yue Fang updated CAMEL-14501:
-------------------------------------
Description:
currently we can configure TransformerFactory used by saxon by specifying
features/attributes there. However, this can only take effect on an XML parser
that Saxon creates. It has no effect if camel application creates the XML
parser (that is, if the input is supplied to Saxon as a Source object)
Per saxon community discussion here ,
If you want detailed control over parsing, the best way is to create an
XMLReader yourself and supply it to Saxon within a SAXSource object.
So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if
saxonReaderProperties isn't null, create a XMLReader and specify features on
it, so that we can gain fully control of xml parsed used by saxon. This is
important to prevent XXE attack when using saxon to do xslt transform. Like by
disabling uri=http://xml.org/sax/features/external-general-entities"; to not
access sensitive local files.
> gain fully control of xml parser used by saxon
> ----------------------------------------------
>
> Key: CAMEL-14501
> URL: https://issues.apache.org/jira/browse/CAMEL-14501
> Project: Camel
> Issue Type: Improvement
> Components: camel-xslt
> Environment: currently we can configure TransformerFactory used by
> saxon by specifying features/attributes there. However, this can only take
> effect on an XML parser that Saxon creates. It has no effect if camel
> application creates the XML parser (that is, if the input is supplied to
> Saxon as a Source object)
> Per [saxon community discussion here|https://saxonica.plan.io/issues/2457m] ,
> {code}
> If you want detailed control over parsing, the best way is to create an
> XMLReader yourself and supply it to Saxon within a SAXSource object.
> {code}
> So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if
> saxonReaderProperties isn't null, create a XMLReader and specify features on
> it, so that we can gain fully control of xml parsed used by saxon. This is
> important to prevent XXE attack when using saxon to do xslt transform. Like
> by disabling uri=http://xml.org/sax/features/external-general-entities"; to
> not access sensitive local files.
> Reporter: Freeman Yue Fang
> Assignee: Freeman Yue Fang
> Priority: Major
>
> currently we can configure TransformerFactory used by saxon by specifying
> features/attributes there. However, this can only take effect on an XML
> parser that Saxon creates. It has no effect if camel application creates the
> XML parser (that is, if the input is supplied to Saxon as a Source object)
> Per saxon community discussion here ,
> If you want detailed control over parsing, the best way is to create an
> XMLReader yourself and supply it to Saxon within a SAXSource object.
> So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if
> saxonReaderProperties isn't null, create a XMLReader and specify features on
> it, so that we can gain fully control of xml parsed used by saxon. This is
> important to prevent XXE attack when using saxon to do xslt transform. Like
> by disabling uri=http://xml.org/sax/features/external-general-entities"; to
> not access sensitive local files.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
