[
https://issues.apache.org/jira/browse/XERCESJ-1654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16774022#comment-16774022
]
Philipp Nanz edited comment on XERCESJ-1654 at 2/21/19 12:22 PM:
-----------------------------------------------------------------
It would be nice if Apache Xerces would implement the properties defined in
JAXP 1.5, see [https://openjdk.java.net/jeps/185] for details. It is super
confusing that the JDK Xerces fork understands these switches, while the Apache
Xerces does not.
My biggest concern here is that lots of people set the {{SECURE_PROCESSING}}
feature because tools like SonarQube tell them to do so, in order to prevent
XXE attacks. But this really gives them a false sense of security, because as
soon as the Apache Xerces library is on the classpath, the switch will not have
the desired effect anymore.
was (Author: philippn):
It would be nice if Apache Xerces would implement the properties defined in
JAXP 1.5, see [https://openjdk.java.net/jeps/185] for details. It is super
confusing that the JDK Xerces fork understands these switches, while the Apache
Xerces does not.
My biggest concern here is that lots of people set the {{SECURE_PROCESSING}}
feature because tools like Sonar tell them to do so, in order to prevent XXE
attacks. But this really gives them a false sense of security, because as soon
as the Apache Xerces library is on the classpath, the switch will not have the
desired effect anymore.
> Add support for properties set by JAXP in the JDK (secure-processing,
> accessExternalDTD and entityExpansionLimit)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: XERCESJ-1654
> URL: https://issues.apache.org/jira/browse/XERCESJ-1654
> Project: Xerces2-J
> Issue Type: New Feature
> Affects Versions: 2.11.0
> Environment: Problem noticed with:
> * jdk1.7.0_71.jdk
> * jdk1.8.0_25.jdk
> Reporter: Vincent Massol
> Priority: Major
>
> I have tons of the following warnings in my console when doing an XSLT
> transformation:
> {noformat}
> Warning: org.apache.xerces.parsers.SAXParser: Feature
> 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not
> recognized.
> {noformat}
> Code:
> {code}
> /**
> * Parse and pretty pint a XML content.
> *
> * @param content the XML content to format
> * @return the formated version of the passed XML content
> * @throws TransformerFactoryConfigurationError when failing to create a
> * {@link TransformerFactoryConfigurationError}
> * @throws TransformerException when failing to transform the content
> * @since 5.2M1
> */
> public static String formatXMLContent(String content) throws
> TransformerFactoryConfigurationError,
> TransformerException
> {
> Transformer transformer =
> TransformerFactory.newInstance().newTransformer();
> transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
> "2");
> StreamResult result = new StreamResult(new StringWriter());
> StreamSource source = new StreamSource(new StringReader(content));
> transformer.transform(source, result);
> return result.getWriter().toString();
> }
> {code}
> According to what I read at https://issues.apache.org/jira/browse/RAT-158 and
> at http://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html this seems
> to have been caused by some changes introduced in the JDK and that XercesJ
> doesn't support yet.
> Thus this issue is about adding support for them.
> Thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
