[
https://issues.apache.org/jira/browse/TIKA-2466?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16167557#comment-16167557
]
Nick Burch commented on TIKA-2466:
----------------------------------
[[email protected]] The methods not being static on {{ParseContext}} means it
isn't quite ideal, and having the Config objects call out to ParseContext looks
a little odd.
Wherever we put / leave the code, I think we need to add a similar method for
building a secure {{TransformerFactory}} too. Suggested settings for one of
those given at
https://stackoverflow.com/questions/32086062/how-to-secure-javax-xml-transform-transformerfacotory-from-xml-external-attacks
> Remove JAXB usage
> -----------------
>
> Key: TIKA-2466
> URL: https://issues.apache.org/jira/browse/TIKA-2466
> Project: Tika
> Issue Type: Improvement
> Components: config
> Affects Versions: 1.14, 1.15, 1.16
> Reporter: Robert Munteanu
> Attachments: 0001-TIKA-2466-Remove-JAXB-usage.patch,
> 0001-TIKA-2466-Remove-JAXB-usage.patch
>
>
> Starting with Java 9 the {{javax.xml.bind}} classes are now part of the
> {{java.se.ee}} module which is not enabled by default. To simplify the Java 9
> integration ( no --add-modules CLI switch, no explicity Java 9 module ) I
> propose we simply replace JAXB with something else.
> See
> https://lists.apache.org/thread.html/72342314e709417bcb777fd3511b700dee443a3a658b730e52f99e38@%3Cuser.tika.apache.org%3E
> for more context
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
