Hi all, Not sure how many folks saw it, but a couple of weeks ago Edwin (Goei) contributed some new code to the xml-commons version of JAXP's FactoryFinder which makes it considerably more robust with respect to security issues than it was hitherto. Edwin's code also falls back to the current class loader when looking for the factory, if the context class loader fails--as the code we currently ship does.
I would like to see Xerces incorporate this code, and I'd also like to retrofit our ObjectFactory to use a similar mechanism. It would also be great to see SAX adopt this methodology; I'd even go so far as to urge us to consider modifying our own copy of the SAX API's to make use of it. Note that the code is designed so as to be wholly package-protected, so no application that relies on our current JAXP (or SAX, for that matter) interfaces will be affected. The only drawback with Edwin's code is that it won't compile under JDK 1.1.8. It will, however, run in 1.1.8 VM's. Would anyone have a problem if I updated our JAXP/ObjectFactory classes to use Edwin's code? i.e., does anyone care a lot about compiling under 1.1.8? I'll send a less detailed post to the user list posing the same question, and invite anyone from there who has issues to bring them here. And what are people's feelings about investigating modifying our copy of SAX's NewInstance class in the same spirit? Cheers! Neil Neil Graham XML Parser Development IBM Toronto Lab Phone: 905-413-3519, T/L 969-3519 E-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
