[ http://issues.apache.org/jira/browse/XALANJ-2136?page=all ]
Brian Minchau updated XALANJ-2136:
----------------------------------
Xalan info: [PatchAvailable]
Environment:
Description:
In JAXP 1.3, the TransformerFactory.setFeature() method must support the secure
processing feature. The following paragraph is taken from the javadocs of the
TransformerFactory.setFeature() method:
All implementations are required to support the
XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:
-- true: the implementation will limit XML processing to conform to
implementation limits and behave in a secure fashion as defined by the
implementation. Examples include resolving user defined style sheets and
functions. If XML processing is limited for security reasons, it will be
reported via a call to the registered
ErrorListener.fatalError(TransformerException exception). See
setErrorListener(ErrorListener listener).
-- false: the implementation will processing XML according to the XML
specifications without regard to possible implementation limits.
Sun's contributed JAXP 1.3 implementation only exposes the feature. But it does
not use the feature to limit the XML processing behavior. The proposed patch
will implement the following restrictions when the secure processing feature is
set to true:
1. use of extension elements and extension functions are disabled
2. the secure processing feature is also passed to all parsers created by the
XSLT processor.
was:
In JAXP 1.3, the TransformerFactory.setFeature() method must support the secure
processing feature. The following paragraph is taken from the javadocs of the
TransformerFactory.setFeature() method:
All implementations are required to support the
XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:
-- true: the implementation will limit XML processing to conform to
implementation limits and behave in a secure fashion as defined by the
implementation. Examples include resolving user defined style sheets and
functions. If XML processing is limited for security reasons, it will be
reported via a call to the registered
ErrorListener.fatalError(TransformerException exception). See
setErrorListener(ErrorListener listener).
-- false: the implementation will processing XML according to the XML
specifications without regard to possible implementation limits.
Sun's contributed JAXP 1.3 implementation only exposes the feature. But it does
not use the feature to limit the XML processing behavior. The proposed patch
will implement the following restrictions when the secure processing feature is
set to true:
1. use of extension elements and extension functions are disabled
2. the secure processing feature is also passed to all parsers created by the
XSLT processor.
> JAXP 1.3: support the secure processing feature
> -----------------------------------------------
>
> Key: XALANJ-2136
> URL: http://issues.apache.org/jira/browse/XALANJ-2136
> Project: XalanJ2
> Type: Bug
> Components: JAXP
> Versions: CurrentCVS
> Reporter: Morris Kwan
> Assignee: Morris Kwan
> Attachments: secure_processing_feature_xalan.patch
>
> In JAXP 1.3, the TransformerFactory.setFeature() method must support the
> secure processing feature. The following paragraph is taken from the javadocs
> of the TransformerFactory.setFeature() method:
> All implementations are required to support the
> XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:
> -- true: the implementation will limit XML processing to conform to
> implementation limits and behave in a secure fashion as defined by the
> implementation. Examples include resolving user defined style sheets and
> functions. If XML processing is limited for security reasons, it will be
> reported via a call to the registered
> ErrorListener.fatalError(TransformerException exception). See
> setErrorListener(ErrorListener listener).
> -- false: the implementation will processing XML according to the XML
> specifications without regard to possible implementation limits.
> Sun's contributed JAXP 1.3 implementation only exposes the feature. But it
> does not use the feature to limit the XML processing behavior. The proposed
> patch will implement the following restrictions when the secure processing
> feature is set to true:
> 1. use of extension elements and extension functions are disabled
> 2. the secure processing feature is also passed to all parsers created by the
> XSLT processor.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
