[
https://issues.apache.org/jira/browse/CAMEL-14501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Freeman Yue Fang reassigned CAMEL-14501:
----------------------------------------
Assignee: Freeman Yue Fang
> gain fully control of xml parser used by saxon
> ----------------------------------------------
>
> Key: CAMEL-14501
> URL: https://issues.apache.org/jira/browse/CAMEL-14501
> Project: Camel
> Issue Type: Improvement
> Components: camel-xslt
> Environment: currently we can configure TransformerFactory used by
> saxon by specifying features/attributes there. However, this can only take
> effect on an XML parser that Saxon creates. It has no effect if camel
> application creates the XML parser (that is, if the input is supplied to
> Saxon as a Source object)
> Per [saxon community discussion here|https://saxonica.plan.io/issues/2457m] ,
> {code}
> If you want detailed control over parsing, the best way is to create an
> XMLReader yourself and supply it to Saxon within a SAXSource object.
> {code}
> So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if
> saxonReaderProperties isn't null, create a XMLReader and specify features on
> it, so that we can gain fully control of xml parsed used by saxon. This is
> important to prevent XXE attack when using saxon to do xslt transform. Like
> by disabling uri=http://xml.org/sax/features/external-general-entities"; to
> not access sensitive local files.
> Reporter: Freeman Yue Fang
> Assignee: Freeman Yue Fang
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
