Xalan just got a question about possible cross-site access if given a document with an external entity reference in its in-file DTD.
We default to using Xerces. And as far as I know, Xerces defaults to XMLConstants.FEATURE_SECURE_PROCESSING. The user is concerned because an input document with an external reference to a deliberately garbled URI produced the error message (Location of error unknown)java.net.MalformedURLException: no protocol: [garbled URI] We get that message even when XMLConstants.FEATURE_SECURE_PROCESSING is explicitly set true. But from where I'm sitting, that just means a syntax check was done on the URI, NOT necessarily that it was dereferenced... and if it isn't dereferenced, there is no security issue. Can you folks confirm how external DTD references are handled by Xerces security? Is there anything else Xalan should be setting that it might not have? advTHANKSance... -- ` /_ Joe Kesselman (he/him/his) -/ _) My Alexa skill for New Music/New Sounds fans: / https://www.amazon.com/dp/B09WJ3H657/ Caveat: Opinionated old geezer with overcompensated writer's block. May be redundant, verbose, prolix, sesquipedalian, didactic, officious, or redundant. Feel free to call him on it.
