Hi Jon there is another thread on it (probably on user@)
I think we should just make xalan optional in the lib and upgrade. Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://blog-rmannibucau.rhcloud.com> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <jonathan.gallim...@gmail.com> : > Correction - that should be: "CDDL or GPL with classpath exception". > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > Great question. CDDL _or_ GPL, by the look of it. > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB I > > believe. > > > > Jon > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > > jlmonte...@tomitribe.com> wrote: > > > >> What is the licence for GlassFish one? > >> > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < > jonathan.gallim...@gmail.com > >> > > >> a écrit : > >> > >> > Hi > >> > > >> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I > >> have > >> > done the same on the 1.7.x branch, specifically to move on from the > old > >> > openejb-jstl (looking at > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > >> > taglibs-standard-jstlel > >> > library does seem to depend on xalan, which we currently do not > include > >> in > >> > TomEE. > >> > > >> > The impact is that some XML functions in JSP code does not work, for > >> > example: > >> > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> > >> > > >> > <x:parse var="movies"> > >> > <movies> > >> > <movie id="1" name="Wedding Crashers" director="David Dobkin" > >> > genre="Comedy" rating="7" year="2005" /> > >> > <movie id="2" name="Starsky & Hutch" director="Todd > Phillips" > >> > genre="Action" rating="6" year="2004" /> > >> > <movie id="3" name="Shanghai Knights" director="David Dobkin" > >> > genre="Action" rating="6" year="2003" /> > >> > <movie id="4" name="I-Spy" director="Betty Thomas" > >> genre="Adventure" > >> > rating="5" year="2002" /> > >> > <movie id="5" name="The Royal Tenenbaums" director="Wes > Anderson" > >> > genre="Comedy" rating="8" year="2001" /> > >> > <movie id="6" name="Zoolander" director="Ben Stiller" > >> genre="Comedy" > >> > rating="6" year="2001" /> > >> > <movie id="7" name="Shanghai Noon" director="Tom Dey" > >> genre="Comedy" > >> > rating="7" year="2000" /> > >> > </movies> > >> > </x:parse> > >> > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br > /> > >> > > >> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath > >> (this on > >> > both 1.7.x and master) > >> > > >> > Including Xalan does fix this, but its a 3MB dependency. > >> > > >> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl > >> > instead, > >> > which I have tested and seems to work. Anyone have any thoughts? > >> > > >> > Jon > >> > > >> > > > > >
