If that's the position Xerces is taking, then I think Xalan can argue that this can be managed by handing Xalan an appropriately configured parser rather than having one automatically instantiated.
Which would make the user's wish for an easier solution a feature request rather than a bug. I'm not sure that's the best answer, but it is a consistent answer. -- Joe Car Talk has been advised that the staff opticians, C. F. Eyecare, are now under new management. It's Ike and Zeke Leary, now; Lorraine is gone. ________________________________ From: Michael Glavassevich <[email protected]> Sent: Monday, September 8, 2025 12:23:07 PM To: [email protected] <[email protected]> Subject: RE: Question about secure processing The secure processing feature in Xerces guards against two well known denial of service attacks. See implementation details here: https://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html. Reading external entities is a different concern and can be managed with other XML parser configuration (e.g. an EntityResolver). -----Original Message----- From: Joseph Kessselman <[email protected]> Sent: August 22, 2025 4:42 PM To: [email protected] Subject: [EXTERNAL] Re: Question about secure processing When I replaced the URI in the DTD External Entity reference with a legitimate one (pointing to a stub server on my own machine), I did get complaints about HTML protocol not being correct ... so apparently this is at least trying to open the URI. If it's actually reading the entity, that could be the basis for a DOS attack, if nothing else. We *should* be running with the secure flag set. I can try debuggerizing to confirm. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
