[
https://issues.apache.org/jira/browse/BATIK-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18087674#comment-18087674
]
Piotr Karwasz commented on BATIK-1395:
--------------------------------------
Hi [~ssteiner],
Does the no-external-dependency rule apply only to {{batik-svgbrowser}}, which
is a desktop application, or also to the other Batik modules, which these days
are mostly pulled in transitively by build systems?
Log4j Core had the same rule when 2.0 shipped in 2014, and it pushed us to
bundle many features into the single {{log4j-core}} artifact. For 3.x we are
reversing that and shipping each feature that needs extra dependencies as a
separate artifact.
*Nitpick*: the {{ACCESS_EXTERNAL_*}} attributes in your commit only work with
the stock JDK {{TransformerFactory}}; a classpath Xalan throws on them. You
could pin the JDK implementation without any dependency by:
* using {{TransformerFactory.newDefaultInstance()}} instead of
{{TransformerFactory.newInstance()}}, which always returns the built-in JDK
implementation regardless of the classpath (so your three hardening lines are
guaranteed to be supported);
* this needs Java 9+, so it would mean raising the bytecode level of
{{batik-svgbrowser}} only. For a desktop app that seems reasonable, and apps on
newer JDKs let libraries lift their baseline too.
What do you think?
> Add secure processing to XMLInputHandler
> ----------------------------------------
>
> Key: BATIK-1395
> URL: https://issues.apache.org/jira/browse/BATIK-1395
> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Fix For: main
>
>
> XMLInputHandler is currently not used unless you uncomment a setting in a
> services file
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
