Re: Xalan retirement

2023-10-25 Thread Arnout Engelen 
On 2023/10/11 01:15:46 Joseph Kesselman wrote:
> Xalan-C was retired to the Attic
>  It was very back level compared to Xalan-J, written in somewhat archaic C++, 
> and didn't have anyone volunteering to actively work on it.

Was it? I couldn't find a reference to this, and it's not obvious from 
https://xalan.apache.org


Kind regards,

Arnout

-
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

'trax_bugs.xml' in xalan-java root

2023-06-07 Thread Arnout Engelen 
Hi,

I noticed a 'trax_bugs.xml' in the xalan-java root. That looks like it
might be an outdated bug tracking utility - does anyone remember the
background to that? Should it be removed and the issues perhaps transferred
to Jira? Or does it have special significance?


Kind regards,

Arnout

Re: [ANNOUNCE] Xalan 2.7.3 is now on Maven Central

2023-05-05 Thread Arnout Engelen 
Awesome! I have also updated the description of
https://www.cve.org/CVERecord?id=CVE-2022-34169

Arnout

On Thu, May 4, 2023 at 9:48 PM Gary Gregory  wrote:
>
> Hi All:
>
> Xalan 2.7.3 is now on Maven Central. That's both xalan:xalan and 
> xalan:serializer.
>
> Enjoy ;-)
> Gary
>


-- 
Arnout Engelen
ASF Security Response
Committer on Apache Pekko
Committer on NixOS
Independent Open Source consultant

-
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

Re: Security section for the Xalan website

2023-01-20 Thread Arnout Engelen 
On Thu, Jan 19, 2023 at 3:49 PM Gary Gregory  wrote:
> I'm worried these changes will just be overwritten when we publish the site 
> for the upcoming 2.7.3 version. The changes should be done to the site 
> sources in the git repo.

Ha, sorry, missed that somehow... I assume that'd be
https://github.com/apache/xalan-site/pull/1 ?


Kind regards,

Arnout

> On Thu, Jan 19, 2023, 04:27 Arnout Engelen  wrote:
>>
>> Hello,
>>
>> It seems people occasionally don't realize they should expect to take
>> some precautions before using Xalan on untrusted input. It might be
>> good to make an explicit note about that on the website, something
>> like the attached patch?
>>
>> Of course it would be even better if we could provide (or link to)
>> in-depth instructions, but until we have something like that I think
>> just highlighting the fact that this needs people's attention would be
>> an improvement.
>>
>> The patch is against https://svn.apache.org/repos/asf/xalan/site/ . I
>> also took the opportunity of updating some links to https.
>>
>>
>> Kind regards,
>>
>> Arnout
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
>> For additional commands, e-mail: dev-h...@xalan.apache.org

-
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

Security section for the Xalan website

2023-01-19 Thread Arnout Engelen 
Hello,

It seems people occasionally don't realize they should expect to take
some precautions before using Xalan on untrusted input. It might be
good to make an explicit note about that on the website, something
like the attached patch?

Of course it would be even better if we could provide (or link to)
in-depth instructions, but until we have something like that I think
just highlighting the fact that this needs people's attention would be
an improvement.

The patch is against https://svn.apache.org/repos/asf/xalan/site/ . I
also took the opportunity of updating some links to https.


Kind regards,

Arnout
Index: docs/xalan/charter.html
===
--- docs/xalan/charter.html	(revision 1906770)
+++ docs/xalan/charter.html	(working copy)
@@ -30,7 +30,7 @@
 
 
 
-http://xalan.apache.org/index.html;>
+https://xalan.apache.org/index.html;>
 
 
 
@@ -47,19 +47,19 @@
 
 
 
-http://www.apache.org;>Apache Foundation
+https://www.apache.org;>Apache Foundation
 
 
-http://xalan.apache.org;>Xalan Project
+https://xalan.apache.org;>Xalan Project
 
 
-http://xerces.apache.org;>Xerces Project
+https://xerces.apache.org;>Xerces Project
 
 
-http://www.w3.org/TR;>Web Consortium
+https://www.w3.org/TR;>Web Consortium
 
 
-http://www.oasis-open.org/standards;>Oasis Open
+https://www.oasis-open.org/standards;>Oasis Open
 
 
 
@@ -73,7 +73,7 @@
 Charter
 
 
-http://wiki.apache.org/xalan;>Xalan Wiki
+https://wiki.apache.org/xalan;>Xalan Wiki
 
 
 Projects
@@ -91,34 +91,34 @@
 Mail Lists
 
 
-http://marc.info/?l=xalan-dev;>Developers
+https://marc.info/?l=xalan-dev;>Developers
 
 
-http://marc.info/?l=xalan-c-users;>C Users
+https://marc.info/?l=xalan-c-users;>C Users
 
 
-http://marc.info/?l=xalan-j-users;>J Users
+https://marc.info/?l=xalan-j-users;>J Users
 
 
 Resources
 
 
-http://www.apache.org/;>Apache
+https://www.apache.org/;>Apache
 
 
-http://www.apache.org/foundation/getinvolved.html;>Get Involved
+https://www.apache.org/foundation/getinvolved.html;>Get Involved
 
 
-http://www.apache.org/licenses/;>Licenses
+https://www.apache.org/licenses/;>Licenses
 
 
-http://www.apache.org/foundation/sponsorship.html;>Sponsorship
+https://www.apache.org/foundation/sponsorship.html;>Sponsorship
 
 
-http://www.apache.org/foundation/thanks.html;>Thanks
+https://www.apache.org/foundation/thanks.html;>Thanks
 
 
-http://www.apache.org/security/;>Security
+Security
 
 
 
@@ -468,7 +468,7 @@
 (top)
 
 
-Copyright © 1999-2014 The Apache Software FoundationApache, Xalan, and the Feather logo are trademarks of The Apache Software FoundationWeb Page created on - Fri 2014-05-16
+Copyright © 1999-2014 The Apache Software FoundationApache, Xalan, and the Feather logo are trademarks of The Apache Software FoundationWeb Page created on - Wed 2023-01-18
 
 
 
Index: docs/xalan/index.html
===
--- docs/xalan/index.html	(revision 1906770)
+++ docs/xalan/index.html	(working copy)
@@ -30,7 +30,7 @@
 
 
 
-http://xalan.apache.org/index.html;>
+https://xalan.apache.org/index.html;>
 
 
 
@@ -47,19 +47,19 @@
 
 
 
-http://www.apache.org;>Apache Foundation
+https://www.apache.org;>Apache Foundation
 
 
-http://xalan.apache.org;>Xalan Project
+https://xalan.apache.org;>Xalan Project
 
 
-http://xerces.apache.org;>Xerces Project
+https://xerces.apache.org;>Xerces Project
 
 
-http://www.w3.org/TR;>Web Consortium
+https://www.w3.org/TR;>Web Consortium
 
 
-http://www.oasis-open.org/standards;>Oasis Open
+https://www.oasis-open.org/standards;>Oasis Open
 
 
 
@@ -73,7 +73,7 @@
 Charter
 
 
-http://wiki.apache.org/xalan;>Xalan Wiki
+https://wiki.apache.org/xalan;>Xalan Wiki
 
 
 Projects
@@ -91,34 +91,34 @@
 Mail Lists
 
 
-http://marc.info/?l=xalan-dev;>Developers
+https://marc.info/?l=xalan-dev;>Developers
 
 
-http://marc.info/?l=xalan-c-users;>C Users
+https://marc.info/?l=xalan-c-users;>C Users
 
 
-http://marc.info/?l=xalan-j-users;>J Users
+https://marc.info/?l=xalan-j-users;>J Users
 
 
 Resources
 
 
-http://www.apache.org/;>Apache
+https://www.apache.org/;>Apache
 
 
-http://www.apache.org/foundation/getinvolved.html;>Get Involved
+https://www.apache.org/foundation/getinvolved.html;>Get Involved
 
 
-http://www.apache.org/licenses/;>Licenses
+https://www.apache.org/licenses/;>Licenses
 
 
-http://www.apache.org/foundation/sponsorship.html;>Sponsorship
+https://www.apache.org/foundation/sponsorship.html;>Sponsorship
 
 
-http://www.apache.org/foundation/thanks.html;>Thanks
+https://www.apache.org/foundation/thanks.html;>Thanks
 
 
-http://www.apache.org/security/;>Security
+Security
 
 
 
@@ -301,12 +301,23 @@
  http://www.apache.org/foundation/getinvolved.html;>how to 
 participate in the various development efforts.
 
+‌
+
+(top)
+
+Security
+Xerces and Xalan do what the XML specs require by default. In some cases, this may not be appropriate behavior when working with untrusted input: the