[
https://issues.apache.org/jira/browse/XERCESJ-1654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16774022#comment-16774022
]
Philipp Nanz commented on XERCESJ-1654:
---------------------------------------
It would be nice if Apache Xerces would implement the properties defined in
JAXP 1.5, see [https://openjdk.java.net/jeps/185] for details. It is super
confusing that the JDK Xerces understands these switches, while the Apache
Xerces does not.
My biggest concern here is that lots of people set the {{SECURE_PROCESSING}}
feature because tools like Sonar tell them to do so, in order to prevent XXE
attacks. But this really gives them a false sense of security, because as soon
as the Apache Xerces library is on the classpath, the switch will not have the
desired effect anymore.
> Add support for properties set by JAXP in the JDK (secure-processing,
> accessExternalDTD and entityExpansionLimit)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: XERCESJ-1654
> URL: https://issues.apache.org/jira/browse/XERCESJ-1654
> Project: Xerces2-J
> Issue Type: New Feature
> Affects Versions: 2.11.0
> Environment: Problem noticed with:
> * jdk1.7.0_71.jdk
> * jdk1.8.0_25.jdk
> Reporter: Vincent Massol
> Priority: Major
>
> I have tons of the following warnings in my console when doing an XSLT
> transformation:
> {noformat}
> Warning: org.apache.xerces.parsers.SAXParser: Feature
> 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not
> recognized.
> {noformat}
> Code:
> {code}
> /**
> * Parse and pretty pint a XML content.
> *
> * @param content the XML content to format
> * @return the formated version of the passed XML content
> * @throws TransformerFactoryConfigurationError when failing to create a
> * {@link TransformerFactoryConfigurationError}
> * @throws TransformerException when failing to transform the content
> * @since 5.2M1
> */
> public static String formatXMLContent(String content) throws
> TransformerFactoryConfigurationError,
> TransformerException
> {
> Transformer transformer =
> TransformerFactory.newInstance().newTransformer();
> transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
> "2");
> StreamResult result = new StreamResult(new StringWriter());
> StreamSource source = new StreamSource(new StringReader(content));
> transformer.transform(source, result);
> return result.getWriter().toString();
> }
> {code}
> According to what I read at https://issues.apache.org/jira/browse/RAT-158 and
> at http://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html this seems
> to have been caused by some changes introduced in the JDK and that XercesJ
> doesn't support yet.
> Thus this issue is about adding support for them.
> Thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
