[
https://issues.apache.org/jira/browse/XERCESJ-1654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280655#comment-17280655
]
Dave Wichers commented on XERCESJ-1654:
---------------------------------------
An important question here. When code tries to set one of these unsupported
settings, does Xerces throw an Exception (i.e.,
org.xml.sax.SAXNotRecognizedException, or
org.xml.sax.SAXNotSupportedException)? Or does it simply log a message to the
console as the original poster 6 years ago reported? If it at least throws an
Exception, then anyone trying to use the unsupported feature will at least find
out/and not continue using it thinking they are safe from XXE.
> Add support for properties set by JAXP in the JDK (secure-processing,
> accessExternalDTD and entityExpansionLimit)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: XERCESJ-1654
> URL: https://issues.apache.org/jira/browse/XERCESJ-1654
> Project: Xerces2-J
> Issue Type: New Feature
> Affects Versions: 2.11.0
> Environment: Problem noticed with:
> * jdk1.7.0_71.jdk
> * jdk1.8.0_25.jdk
> Reporter: Vincent Massol
> Priority: Major
>
> I have tons of the following warnings in my console when doing an XSLT
> transformation:
> {noformat}
> Warning: org.apache.xerces.parsers.SAXParser: Feature
> 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property
> 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not
> recognized.
> {noformat}
> Code:
> {code}
> /**
> * Parse and pretty pint a XML content.
> *
> * @param content the XML content to format
> * @return the formated version of the passed XML content
> * @throws TransformerFactoryConfigurationError when failing to create a
> * {@link TransformerFactoryConfigurationError}
> * @throws TransformerException when failing to transform the content
> * @since 5.2M1
> */
> public static String formatXMLContent(String content) throws
> TransformerFactoryConfigurationError,
> TransformerException
> {
> Transformer transformer =
> TransformerFactory.newInstance().newTransformer();
> transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
> "2");
> StreamResult result = new StreamResult(new StringWriter());
> StreamSource source = new StreamSource(new StringReader(content));
> transformer.transform(source, result);
> return result.getWriter().toString();
> }
> {code}
> According to what I read at https://issues.apache.org/jira/browse/RAT-158 and
> at http://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html this seems
> to have been caused by some changes introduced in the JDK and that XercesJ
> doesn't support yet.
> Thus this issue is about adding support for them.
> Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
