[jira] [Updated] (CAMEL-14501) gain fully control of xml parser used by saxon

Wed, 05 Feb 2020 09:14:20 -0800 


     [ 
https://issues.apache.org/jira/browse/CAMEL-14501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Freeman Yue Fang updated CAMEL-14501:
-------------------------------------
    Environment:     (was: currently we can configure TransformerFactory used 
by saxon by specifying features/attributes there. However, this can only take 
effect on an XML parser that Saxon creates. It has no effect if camel 
application creates the XML parser (that is, if the input is supplied to Saxon 
as a Source object)

Per [saxon community discussion here|https://saxonica.plan.io/issues/2457m] , 
{code}
If you want detailed control over parsing, the best way is to create an 
XMLReader yourself and supply it to Saxon within a SAXSource object.
{code}

So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if 
saxonReaderProperties isn't null, create a XMLReader and specify features on 
it, so that we can gain fully control of xml parsed used by saxon. This is 
important to prevent XXE attack when using saxon to do xslt transform. Like by 
disabling uri=http://xml.org/sax/features/external-general-entities"; to not 
access sensitive local files.)

> gain fully control of xml parser used by saxon
> ----------------------------------------------
>
>                 Key: CAMEL-14501
>                 URL: https://issues.apache.org/jira/browse/CAMEL-14501
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-xslt
>            Reporter: Freeman Yue Fang
>            Assignee: Freeman Yue Fang
>            Priority: Major
>
> currently we can configure TransformerFactory used by saxon by specifying 
> features/attributes there. However, this can only take effect on an XML 
> parser that Saxon creates. It has no effect if camel application creates the 
> XML parser (that is, if the input is supplied to Saxon as a Source object)
> Per saxon community discussion here ,
> If you want detailed control over parsing, the best way is to create an 
> XMLReader yourself and supply it to Saxon within a SAXSource object.
> So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if 
> saxonReaderProperties isn't null, create a XMLReader and specify features on 
> it, so that we can gain fully control of xml parsed used by saxon. This is 
> important to prevent XXE attack when using saxon to do xslt transform. Like 
> by disabling uri=http://xml.org/sax/features/external-general-entities"; to 
> not access sensitive local files.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to