Hi, I am not sure if the Xalan team is aware of this behavior.
Once Xalan Java is in the classpath of a Java application, the flag FEATURE_SECURE_PROCESSING is not honored. The user plokta on GitHub reported to find-sec-bugs project this issue. He has even created a project for easy reproduction : https://github.com/plokta/transformerXXE When the security feature is ignored, it can lead to SSRF, remote file read or even remote code execution in the case of XSLT parsing. Reference to the initial report : https://github.com/find-sec-bugs/find-sec-bugs/issues/433 -- Philippe Arteau Cybersecurity Researcher GoSecure POWERED BY COUNTERTACK www.gosecure.net<http://www.gosecure.net/>
