[ https://issues.apache.org/jira/browse/XERCESJ-1654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280655#comment-17280655 ]
Dave Wichers commented on XERCESJ-1654: --------------------------------------- An important question here. When code tries to set one of these unsupported settings, does Xerces throw an Exception (i.e., org.xml.sax.SAXNotRecognizedException, or org.xml.sax.SAXNotSupportedException)? Or does it simply log a message to the console as the original poster 6 years ago reported? If it at least throws an Exception, then anyone trying to use the unsupported feature will at least find out/and not continue using it thinking they are safe from XXE. > Add support for properties set by JAXP in the JDK (secure-processing, > accessExternalDTD and entityExpansionLimit) > ------------------------------------------------------------------------------------------------------------------ > > Key: XERCESJ-1654 > URL: https://issues.apache.org/jira/browse/XERCESJ-1654 > Project: Xerces2-J > Issue Type: New Feature > Affects Versions: 2.11.0 > Environment: Problem noticed with: > * jdk1.7.0_71.jdk > * jdk1.8.0_25.jdk > Reporter: Vincent Massol > Priority: Major > > I have tons of the following warnings in my console when doing an XSLT > transformation: > {noformat} > Warning: org.apache.xerces.parsers.SAXParser: Feature > 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized. > Warning: org.apache.xerces.parsers.SAXParser: Property > 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized. > Warning: org.apache.xerces.parsers.SAXParser: Property > 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not > recognized. > {noformat} > Code: > {code} > /** > * Parse and pretty pint a XML content. > * > * @param content the XML content to format > * @return the formated version of the passed XML content > * @throws TransformerFactoryConfigurationError when failing to create a > * {@link TransformerFactoryConfigurationError} > * @throws TransformerException when failing to transform the content > * @since 5.2M1 > */ > public static String formatXMLContent(String content) throws > TransformerFactoryConfigurationError, > TransformerException > { > Transformer transformer = > TransformerFactory.newInstance().newTransformer(); > transformer.setOutputProperty(OutputKeys.INDENT, "yes"); > > transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", > "2"); > StreamResult result = new StreamResult(new StringWriter()); > StreamSource source = new StreamSource(new StringReader(content)); > transformer.transform(source, result); > return result.getWriter().toString(); > } > {code} > According to what I read at https://issues.apache.org/jira/browse/RAT-158 and > at http://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html this seems > to have been caused by some changes introduced in the JDK and that XercesJ > doesn't support yet. > Thus this issue is about adding support for them. > Thanks! -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: j-dev-h...@xerces.apache.org