[jira] [Commented] (FOP-3096) New version with batik in version 1.15 to resolve CVE-2022-40146
[ https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055 ] Joshua Marquart commented on FOP-3096: -- Simon- While you, I, and the general development community do not consider the batik 1.14 issue a vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. > New version with batik in version 1.15 to resolve CVE-2022-40146 > > > Key: FOP-3096 > URL: https://issues.apache.org/jira/browse/FOP-3096 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Alexis Nouvel >Priority: Minor > > When a new version of fop that reference batik in version 1.15 will be > released? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (FOP-3096) New version with batik in version 1.15 to resolve CVE-2022-40146
[ https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055 ] Joshua Marquart edited comment on FOP-3096 at 10/5/22 4:14 PM: --- Simon- While you, I, and the general development community do not consider the batik 1.14 issue a high priority vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. was (Author: joshdm): Simon- While you, I, and the general development community do not consider the batik 1.14 issue a high priority vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. > New version with batik in version 1.15 to resolve CVE-2022-40146 > > > Key: FOP-3096 > URL: https://issues.apache.org/jira/browse/FOP-3096 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Alexis Nouvel >Priority: Minor > > When a new version of fop that reference batik in version 1.15 will be > released? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (FOP-3096) New version with batik in version 1.15 to resolve CVE-2022-40146
[ https://issues.apache.org/jira/browse/FOP-3096?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17613055#comment-17613055 ] Joshua Marquart edited comment on FOP-3096 at 10/5/22 4:14 PM: --- Simon- While you, I, and the general development community do not consider the batik 1.14 issue a high priority vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. was (Author: joshdm): Simon- While you, I, and the general development community do not consider the batik 1.14 issue a vulnerability, the existence of the now-legacy batik in the build cycle causes problems with those who rely on FOP. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. As it stands at this time, due to batik 1.14 dependence, FOP 2.7 scans as CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM The current workaround is for developers to enforce a batik dependency override to 1.15, but a fop 2.7.1 hotfix release just to address the batik dependency problem would go a long way. > New version with batik in version 1.15 to resolve CVE-2022-40146 > > > Key: FOP-3096 > URL: https://issues.apache.org/jira/browse/FOP-3096 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Alexis Nouvel >Priority: Minor > > When a new version of fop that reference batik in version 1.15 will be > released? -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
Joshua Marquart created FOP-3097: Summary: A FOP 2.7.1 hotfix release with only updated batik dependencies Key: FOP-3097 URL: https://issues.apache.org/jira/browse/FOP-3097 Project: FOP Issue Type: Wish Affects Versions: 2.7 Reporter: Joshua Marquart batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM. CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM These issues are resolved in batik 1.15. The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. WORKAROUND The current workaround is for developers to enforce a custom batik dependency override to 1.15. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627313#comment-17627313 ] Joshua Marquart commented on FOP-3097: -- [~exx_communication] - no need to create a new Jira issue if this one isn't closed. The simple solution is to just update / edit this request, and push batik to 1.16, skipping the now-vulnerable 1.15. > A FOP 2.7.1 hotfix release with only updated batik dependencies > --- > > Key: FOP-3097 > URL: https://issues.apache.org/jira/browse/FOP-3097 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Joshua Marquart >Priority: Major > > batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH > and MEDIUM. > CVE-2022-40146 - HIGH > CVE-2022-38648 - MEDIUM > CVE-2022-38398 - MEDIUM > These issues are resolved in batik 1.15. > The existence of these dependency vulnerabilities cause items such as > buildbreaker to prevent proper clean builds when referencing FOP 2.7. The > CVE associated with batik 1.14 are considered vulnerability issues by > security teams who run audits and enforce build breaker scenarios, preventing > deployments of FOP 2.7 due to the vuln existence. > WORKAROUND > The current workaround is for developers to enforce a custom batik dependency > override to 1.15. A FOP 2.7.1 hotfix release just to address the batik > dependency problem would be appreciated by the extended community. It > theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joshua Marquart updated FOP-3097: - Description: batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM. CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM These issues are resolved in batik 1.15. CVE-2022-42890 - MEDIUM CVE-2022-41704 - MEDIUM These issues are resolved in batik 1.16. The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.16 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. WORKAROUND The current workaround is for developers to enforce a custom batik dependency override to 1.16. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes. was: batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM. CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM These issues are resolved in batik 1.15. The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.14 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. WORKAROUND The current workaround is for developers to enforce a custom batik dependency override to 1.15. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes. > A FOP 2.7.1 hotfix release with only updated batik dependencies > --- > > Key: FOP-3097 > URL: https://issues.apache.org/jira/browse/FOP-3097 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Joshua Marquart >Priority: Major > > batik 1.14 is a dependency of FOP 2.7. > 1.14 has CVE issues considered HIGH and MEDIUM. > CVE-2022-40146 - HIGH > CVE-2022-38648 - MEDIUM > CVE-2022-38398 - MEDIUM > These issues are resolved in batik 1.15. > CVE-2022-42890 - MEDIUM > CVE-2022-41704 - MEDIUM > These issues are resolved in batik 1.16. > The existence of these dependency vulnerabilities cause items such as > buildbreaker to prevent proper clean builds when referencing FOP 2.7. The > CVE associated with batik 1.16 are considered vulnerability issues by > security teams who run audits and enforce build breaker scenarios, preventing > deployments of FOP 2.7 due to the vuln existence. > WORKAROUND > The current workaround is for developers to enforce a custom batik dependency > override to 1.16. A FOP 2.7.1 hotfix release just to address the batik > dependency problem would be appreciated by the extended community. It > theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joshua Marquart updated FOP-3097: - Description: batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM. CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM These issues are resolved in batik 1.15, but 1.15 still contains vulnerabilities. CVE-2022-42890 - MEDIUM CVE-2022-41704 - MEDIUM These issues are resolved in batik 1.16. The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.16 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. WORKAROUND The current workaround is for developers to enforce a custom batik dependency override to 1.16. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes. was: batik 1.14 is a dependency of FOP 2.7. 1.14 has CVE issues considered HIGH and MEDIUM. CVE-2022-40146 - HIGH CVE-2022-38648 - MEDIUM CVE-2022-38398 - MEDIUM These issues are resolved in batik 1.15. CVE-2022-42890 - MEDIUM CVE-2022-41704 - MEDIUM These issues are resolved in batik 1.16. The existence of these dependency vulnerabilities cause items such as buildbreaker to prevent proper clean builds when referencing FOP 2.7. The CVE associated with batik 1.16 are considered vulnerability issues by security teams who run audits and enforce build breaker scenarios, preventing deployments of FOP 2.7 due to the vuln existence. WORKAROUND The current workaround is for developers to enforce a custom batik dependency override to 1.16. A FOP 2.7.1 hotfix release just to address the batik dependency problem would be appreciated by the extended community. It theoretically should not require any FOP code changes. > A FOP 2.7.1 hotfix release with only updated batik dependencies > --- > > Key: FOP-3097 > URL: https://issues.apache.org/jira/browse/FOP-3097 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Joshua Marquart >Priority: Major > > batik 1.14 is a dependency of FOP 2.7. > 1.14 has CVE issues considered HIGH and MEDIUM. > CVE-2022-40146 - HIGH > CVE-2022-38648 - MEDIUM > CVE-2022-38398 - MEDIUM > These issues are resolved in batik 1.15, but 1.15 still contains > vulnerabilities. > CVE-2022-42890 - MEDIUM > CVE-2022-41704 - MEDIUM > These issues are resolved in batik 1.16. > The existence of these dependency vulnerabilities cause items such as > buildbreaker to prevent proper clean builds when referencing FOP 2.7. The > CVE associated with batik 1.16 are considered vulnerability issues by > security teams who run audits and enforce build breaker scenarios, preventing > deployments of FOP 2.7 due to the vuln existence. > WORKAROUND > The current workaround is for developers to enforce a custom batik dependency > override to 1.16. A FOP 2.7.1 hotfix release just to address the batik > dependency problem would be appreciated by the extended community. It > theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631179#comment-17631179 ] Joshua Marquart commented on FOP-3097: -- [~ssteiner] excellent. Is releasing 2.8 to the central Maven Repository part of the release process? [https://mvnrepository.com/artifact/org.apache.xmlgraphics/fop] > A FOP 2.7.1 hotfix release with only updated batik dependencies > --- > > Key: FOP-3097 > URL: https://issues.apache.org/jira/browse/FOP-3097 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Joshua Marquart >Priority: Major > > batik 1.14 is a dependency of FOP 2.7. > 1.14 has CVE issues considered HIGH and MEDIUM. > CVE-2022-40146 - HIGH > CVE-2022-38648 - MEDIUM > CVE-2022-38398 - MEDIUM > These issues are resolved in batik 1.15, but 1.15 still contains > vulnerabilities. > CVE-2022-42890 - MEDIUM > CVE-2022-41704 - MEDIUM > These issues are resolved in batik 1.16. > The existence of these dependency vulnerabilities cause items such as > buildbreaker to prevent proper clean builds when referencing FOP 2.7. The > CVE associated with batik 1.16 are considered vulnerability issues by > security teams who run audits and enforce build breaker scenarios, preventing > deployments of FOP 2.7 due to the vuln existence. > WORKAROUND > The current workaround is for developers to enforce a custom batik dependency > override to 1.16. A FOP 2.7.1 hotfix release just to address the batik > dependency problem would be appreciated by the extended community. It > theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FOP-3097) A FOP 2.7.1 hotfix release with only updated batik dependencies
[ https://issues.apache.org/jira/browse/FOP-3097?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631187#comment-17631187 ] Joshua Marquart commented on FOP-3097: -- Good to know. Thank you for all the effort! > A FOP 2.7.1 hotfix release with only updated batik dependencies > --- > > Key: FOP-3097 > URL: https://issues.apache.org/jira/browse/FOP-3097 > Project: FOP > Issue Type: Wish >Affects Versions: 2.7 >Reporter: Joshua Marquart >Priority: Major > > batik 1.14 is a dependency of FOP 2.7. > 1.14 has CVE issues considered HIGH and MEDIUM. > CVE-2022-40146 - HIGH > CVE-2022-38648 - MEDIUM > CVE-2022-38398 - MEDIUM > These issues are resolved in batik 1.15, but 1.15 still contains > vulnerabilities. > CVE-2022-42890 - MEDIUM > CVE-2022-41704 - MEDIUM > These issues are resolved in batik 1.16. > The existence of these dependency vulnerabilities cause items such as > buildbreaker to prevent proper clean builds when referencing FOP 2.7. The > CVE associated with batik 1.16 are considered vulnerability issues by > security teams who run audits and enforce build breaker scenarios, preventing > deployments of FOP 2.7 due to the vuln existence. > WORKAROUND > The current workaround is for developers to enforce a custom batik dependency > override to 1.16. A FOP 2.7.1 hotfix release just to address the batik > dependency problem would be appreciated by the extended community. It > theoretically should not require any FOP code changes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (FOP-3107) Update fontbox dependency
Joshua Marquart created FOP-3107: Summary: Update fontbox dependency Key: FOP-3107 URL: https://issues.apache.org/jira/browse/FOP-3107 Project: FOP Issue Type: Wish Affects Versions: 2.8 Reporter: Joshua Marquart fop 2.8 was released with the same fontbox June 2021 version 2.0.24 dependency as 2.7. At the time of this issue creation, the minor version of org.apache.pdfbox.fontbox JAR is 2.0.27 with non-cumulative release notes identified as follows: 2.0.27: https://archive.apache.org/dist/pdfbox/2.0.27/RELEASE-NOTES.txt 2.0.26: https://archive.apache.org/dist/pdfbox/2.0.26/RELEASE-NOTES.txt 2.0.25: https://archive.apache.org/dist/pdfbox/2.0.25/RELEASE-NOTES.txt This will clearly require testing before updating. WORKAROUND: fop users wishing to use the higher fontbox version must explicitly override dependency inclusion with the later version. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FOP-3142) Fatal error when compiling large xsl templates
[
https://issues.apache.org/jira/browse/FOP-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17750367#comment-17750367
]
Joshua Marquart commented on FOP-3142:
--
As an aside, I see secure-processing is being set, which causes failed XML
attribute generation issues since Xalan 2.7.2 (bug XALNJ-2591;
https://issues.apache.org/jira/browse/XALANJ-2591 ). This bug was resolved in
a servicemix release for Xalan 2.7.2, but the fix was not ported to Xalan
2.7.3. Not certain it affects, but caution should be considered.
> Fatal error when compiling large xsl templates
> --
>
> Key: FOP-3142
> URL: https://issues.apache.org/jira/browse/FOP-3142
> Project: FOP
> Issue Type: Bug
>Affects Versions: 2.8
>Reporter: Huy Ho
>Priority: Critical
>
> After we updated from FOP 2.6 to the latest FOP 2.8 version, our application
> is running into the following error when compiling our stylesheets (stack
> trace below). To get around this issue, we downloaded the latest xalan-j
> 2.7.3 library from [https://xalan.apache.org/xalan-j/index.html] and drop
> them in the fop/lib directory.
>
> {{java.lang.RuntimeException: XPATH_LIMIT}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Parser.parseTopLevel(Parser.java:1165)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Parser.parseExpression(Parser.java:1112)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.VariableBase.parseContents(VariableBase.java:250)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Param.parseContents(Param.java:106)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Stylesheet.parseOwnChildren(Stylesheet.java:587)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Stylesheet.parseContents(Stylesheet.java:559)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Import.parseContents(Import.java:132)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Stylesheet.parseOwnChildren(Stylesheet.java:597)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Stylesheet.parseContents(Stylesheet.java:559)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.Parser.createAST(Parser.java:398)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC.compile(XSLTC.java:496)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC.compile(XSLTC.java:576)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:1018)}}
> {{ at
> java.xml/com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.newTransformer(TransformerFactoryImpl.java:817)}}
> {{ at
> org.apache.fop.cli.InputHandler.transformTo(InputHandler.java:274)}}
> {{ at org.apache.fop.cli.InputHandler.renderTo(InputHandler.java:116)}}
> {{ at org.apache.fop.cli.Main.startFOP(Main.java:183)}}
> {{ at org.apache.fop.cli.Main.main(Main.java:214)}}
>
> {{ERROR: 'JAXP0801003: the compiler encountered XPath expressions with an
> accumulated '10,001' operators that exceeds the '10,000' limit set by
> 'FEATURE_SECURE_PROCESSING'.'}}
> {{FATAL ERROR: 'JAXP0801003: the compiler encountered XPath expressions with
> an accumulated '10,001' operators that exceeds the '10,000' limit set by
> 'FEATURE_SECURE_PROCESSING'.'}}
> {{[ERROR] FOP - Exception javax.xml.transform.TransformerConfigurationException: JAXP0801003: the
> compiler encountered XPath expressions with an accumulated '10,001' operators
> that exceeds the '10,000' limit set by 'FEATURE_SECURE_PROCESSING'.}}
> {{javax.xml.transform.TransformerConfigurationException: JAXP0801003: the
> compiler encountered XPath expressions with an accumulated '10,001' operators
> that exceeds the '10,000' limit set by
> 'FEATURE_SECURE_PROCESSING'.>org.apache.fop.apps.FOPException:
> javax.xml.transform.TransformerConfigurationException: JAXP0801003: the
> compiler encountered XPath expressions with an accumulated '10,001' operators
> that exceeds the '10,000' limit set by 'FEATURE_SECURE_PROCESSING'.}}
> {{javax.xml.transform.TransformerConfigurationException: JAXP0801003: the
> compiler encountered XPath expressions with an accumulated '10,001' operators
> that exceeds the '10,000' limit set by 'FEATURE_SECURE_PROCESSING'.}}
> {{ at
> org.apache.fop.cli.InputHandler.transformTo(InputHandler.java:296)}}
> {{ at org.apache.fop.cli.InputHandler.renderTo(InputHandler.java:116)}}
> {{ at org.apache.fop.cli.Main.startFOP(Main.java:183)}}
> {{ at org.apache.fop.cli.Main.mai
[jira] [Commented] (FOP-3168) Add secure processing for XSL input
[ https://issues.apache.org/jira/browse/FOP-3168?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823806#comment-17823806 ] Joshua Marquart commented on FOP-3168: -- I have pointed this out elsewhere. Apache Xalan has bug XALAN-J-2591, which removes XML attributes on transformation when FEATURE_SECURE_PROCESSING is applied. Servicemix Xalan 2.7.3_3 is the only build that remediates the bug. They did not include the fix in prior main Xalan releases. > Add secure processing for XSL input > --- > > Key: FOP-3168 > URL: https://issues.apache.org/jira/browse/FOP-3168 > Project: FOP > Issue Type: Bug >Reporter: Simon Steiner >Assignee: Simon Steiner >Priority: Major > Fix For: main > > > We should use FEATURE_SECURE_PROCESSING feature to secure XSL input -- This message was sent by Atlassian Jira (v8.20.10#820010)
