Github user yuri1969 commented on the issue: https://github.com/apache/nifi/pull/1946 The `transformXml` uses Saxon HE implementation of a XSLT Processor. So Saxon implements the features. - `FEATURE_SECURE_PROCESSING` is XSLT Processor feature that restricts XSLT functionality like `system-property()` to access Java system properties, using relative URIs in `xsl:result-document`, etc. So it should mitigate some threats coming from using non-trusted XSLTs. - both `http://xml.org/sax/features/external` are XML Parser features that restrict using `<!ENTITY` of `<!DOCTYPE` in a XML file. An attacker can use entities to obtain access to your FS. For example a malicious non-trusted input XML: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> ``` Then a XSLT output containing element `foo` leaks content of your /etc/passwd file. - Billion laughs/LOL bomb/Entity expansion DoS is trully secured by JRE default as you showed. So no need for a feature here.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---