[
https://issues.apache.org/jira/browse/GROOVY-10560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-10560:
-------------------------------
Description:
The main XML processing methods in Groovy default to using secure XML
processing. Some less widely used methods don't have that default. This change
will incorporate that security measure. For users not using doctype processing,
no change should be observed but processing will be more secure. It is a
breaking change for anyone explicitly using doctype processing. Such users
should use the new variant of each related method that is now provided which
allows such processing to be switched back on. These have the same parameters
as the existing method but an additional boolean.
Affected methods:
{code}
XmlUtil#serialize(Element)
XmlUtil#serialize(Element, OutputStream)
XmlUtil#serialize(Element, Writer)
XmlUtil#serialize(String)
XmlUtil#serialize(String, OutputStream)
XmlUtil#serialize(String, Writer)
XmlUtil#newSAXParser(String, boolean, boolean, Source...)
XmlUtil#newSAXParser(String, Source...)
XmlUtil#newSAXParser(String, boolean, boolean, File)
XmlUtil#newSAXParser(String, File)
XmlUtil#newSAXParser(String, boolean, boolean, URL)
XmlUtil#newSAXParser(String, URL)
{code}
was:
The main XML processing methods in Groovy default to using secure XML
processing. Some less widely used methods don't have that default. This change
will incorporate that security measure. For users not using doctype processing,
no change should be observed but processing will be more secure. It is a
breaking change for anyone explicitly using doctype processing. Such users
should use the new variant of each related method that is now provided which
allows such processing to be switched back on. These have the same parameters
as the existing method but an additional boolean.
Affected methods:
{code}
XmlUtil#serialize(Element)
XmlUtil#serialize(Element, OutputStream)
XmlUtil#serialize(Element, Writer)
XmlUtil#serialize(String)
XmlUtil#serialize(String, OutputStream)
XmlUtil#serialize(String, Writer)
{code}
> Provide additional XmlUtil variants for more options when disabling doctypes
> ----------------------------------------------------------------------------
>
> Key: GROOVY-10560
> URL: https://issues.apache.org/jira/browse/GROOVY-10560
> Project: Groovy
> Issue Type: Task
> Reporter: Paul King
> Priority: Major
> Labels: breaking
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The main XML processing methods in Groovy default to using secure XML
> processing. Some less widely used methods don't have that default. This
> change will incorporate that security measure. For users not using doctype
> processing, no change should be observed but processing will be more secure.
> It is a breaking change for anyone explicitly using doctype processing. Such
> users should use the new variant of each related method that is now provided
> which allows such processing to be switched back on. These have the same
> parameters as the existing method but an additional boolean.
> Affected methods:
> {code}
> XmlUtil#serialize(Element)
> XmlUtil#serialize(Element, OutputStream)
> XmlUtil#serialize(Element, Writer)
> XmlUtil#serialize(String)
> XmlUtil#serialize(String, OutputStream)
> XmlUtil#serialize(String, Writer)
> XmlUtil#newSAXParser(String, boolean, boolean, Source...)
> XmlUtil#newSAXParser(String, Source...)
> XmlUtil#newSAXParser(String, boolean, boolean, File)
> XmlUtil#newSAXParser(String, File)
> XmlUtil#newSAXParser(String, boolean, boolean, URL)
> XmlUtil#newSAXParser(String, URL)
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
