Gary D. Gregory created XALANJ-2847:
---------------------------------------
Summary: Improve documentation for site's Security section
Key: XALANJ-2847
URL: https://issues.apache.org/jira/browse/XALANJ-2847
Project: XalanJ2
Issue Type: Task
Security Level: No security risk; visible to anyone (Ordinary problems in
Xalan projects. Anybody can view the issue.)
Components: Documentation
Reporter: Gary D. Gregory
Improve documentation for site's Security section:
Currently:
[https://github.com/apache/xalan-site/blob/master/xdocs/sources/xalan-apache-org/index.xml#L164]
says:
{code:xml}
<s2 title="Security">
<p>Xerces and Xalan do what the XML specifications require by default. In some
cases, this may not be appropriate behavior when working with untrusted input:
the <jump href="https://apache.github.io/xalan-c/secureweb.html";>XML Security
Overview</jump> mentions some potential risks. There are multiple methods for
blocking access to external entities and for disallowing DOCTYPE declarations,
and it is up to the downstream user of Xalan to block/reject these constructs
where appropriate.</p>
<p>If you think you have found a security issue in Apache Xalan, please follow
the <jump
href="https://www.apache.org/security/#reporting-a-vulnerability";>reporting
guidelines</jump></p>
</s2>
{code}
Our Java component documentation pointing to our C component documentation
could be confusing for some.
1) We should document how to configure an XML Parser securely and then invoke
Xalan.
2)The same for invoking Xalan on the command-line.
Private discussion
[https://lists.apache.org/thread/xc1nf8mn9y5l5bc6wyv8kbqn5rptjhfo]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
