oscerd opened a new pull request, #24106: URL: https://github.com/apache/camel/pull/24106
Backport of CAMEL-23783 to the `camel-4.18.x` maintenance branch (main PR: apache/camel#24105). Hardens the Schematron rules-compilation `TransformerFactory` against XXE / external-resource resolution: `SchematronEndpoint.createTransformerFactory()` now enables `FEATURE_SECURE_PROCESSING` and sets `accessExternalDTD` / `accessExternalStylesheet` to empty, matching the already-hardened `SchematronProcessorFactory` (`SAXParserFactory`) on this branch. The bundled ISO skeleton stylesheets resolve from the classpath via the existing `ClassPathURIResolver`, so legitimate rule compilation is unaffected. ## Changes - `createTransformerFactory()` hardening (clean cherry-pick of the main commit). - New `SchematronTransformerFactoryHardeningTest`: legitimate rules still compile; external-entity rules are refused. ## Notes - **Potential breaking change** for Schematron rules that intentionally reference external DTDs/entities/stylesheets (the XXE vector); inline the content instead. The upgrade-guide entry lives on `main` (#24105), per the project's backport-docs convention. - `camel-schematron` module tests pass (14) on this branch. Jira: https://issues.apache.org/jira/browse/CAMEL-23783 _Claude Code on behalf of Andrea Cosentino_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
