[
https://issues.apache.org/jira/browse/CXF-6766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15132051#comment-15132051
]
Sergey Beryozkin commented on CXF-6766:
---------------------------------------
Hi Aki
In the case of the provider the stylesheets are sourced locally, these are not
submitted by the client or server, i.e, it is not the case of the client
sending some DOM or server responding with some DOM which can have the entities
expanded, etc, so as such it seemed reasonable to let it be disabled if
needed. I guess if we disable it via a system property for XSLTJaxbProvider
then it might affect the in/out processing where it is actually more important
to have it enabled. Note I believe this fix applies only the XSLT stylesheets
themselves.
Or do you propose to introduce a system property specifically for XSLT
stylesheets ?
Cheers, Sergey
> Option to disable XMLConstants.FEATURE_SECURE_PROCESSING in XSLTJaxbProvider
> ----------------------------------------------------------------------------
>
> Key: CXF-6766
> URL: https://issues.apache.org/jira/browse/CXF-6766
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS
> Affects Versions: 3.1.4
> Reporter: Vjacheslav Borisov
> Assignee: Sergey Beryozkin
> Priority: Trivial
> Fix For: 3.1.5, 3.0.8, 3.2.0
>
> Attachments: XSLTJaxbProvider.java.patch
>
>
> XSLTJaxbProvider configures
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
> We need option to disable this feature in some projects, e.g. to call xslt
> extension.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
