[GitHub] [xalan-site] raboof commented on a diff in pull request #1: Add security section

Sat, 21 Jan 2023 02:23:38 -0800 


raboof commented on code in PR #1:
URL: https://github.com/apache/xalan-site/pull/1#discussion_r1083272737


##########
index.html:
##########
@@ -296,12 +296,23 @@ <h3>Getting Involved</h3>
  <a href="http://www.apache.org/foundation/getinvolved.html";>how to 
 participate</a> in the various development efforts.</p>
 
+<a name="Security">‌</a>
+<p align="right" size="2">
+<a href="#content">(top)</a>
+</p>
+<h3>Security</h3>
+<p>Xerces and Xalan do what the XML specs require by default. In some cases, 
this may not be appropriate behavior when working with untrusted input: the <a 
href="https://apache.github.io/xalan-c/secureweb.html";>XML Security 
Overview</a> mentions some potential risks. There are multiple methods for 
blocking access to external entities and for disallowing DOCTYPE declarations, 
and it is up to the downstream user of Xalan to block/reject these constructs 
where appropriate.</p>
+
+<p>If you think you have found a security issue in Apache Xalan, please follow 
the <a 
href="https://www.apache.org/security/#reporting-a-vulnerability";>reporting 
guidelines</a>
+</p>
+
+
 
 <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 </div>
-<div id="footer">Copyright © 1999-2014 The Apache Software Foundation<br 
/>Apache, Xalan, and the Feather logo are trademarks of The Apache Software 
Foundation<div class="small">Web Page created on - Sun 2020-06-07</div>
+<div id="footer">Copyright © 1999-2014 The Apache Software Foundation<br 
/>Apache, Xalan, and the Feather logo are trademarks of The Apache Software 
Foundation<div class="small">Web Page created on - Fri 2023-01-20</div>

Review Comment:
   Will update. Is there a legal reason to have the year in there? If not I 
would propose to remove it altogether.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

Reply via email to