Hello,
It seems people occasionally don't realize they should expect to take
some precautions before using Xalan on untrusted input. It might be
good to make an explicit note about that on the website, something
like the attached patch?
Of course it would be even better if we could provide (or link to)
in-depth instructions, but until we have something like that I think
just highlighting the fact that this needs people's attention would be
an improvement.
The patch is against https://svn.apache.org/repos/asf/xalan/site/ . I
also took the opportunity of updating some links to https.
Kind regards,
Arnout
Index: docs/xalan/charter.html
===
--- docs/xalan/charter.html (revision 1906770)
+++ docs/xalan/charter.html (working copy)
@@ -30,7 +30,7 @@
-http://xalan.apache.org/index.html;>
+https://xalan.apache.org/index.html;>
@@ -47,19 +47,19 @@
-http://www.apache.org;>Apache Foundation
+https://www.apache.org;>Apache Foundation
-http://xalan.apache.org;>Xalan Project
+https://xalan.apache.org;>Xalan Project
-http://xerces.apache.org;>Xerces Project
+https://xerces.apache.org;>Xerces Project
-http://www.w3.org/TR;>Web Consortium
+https://www.w3.org/TR;>Web Consortium
-http://www.oasis-open.org/standards;>Oasis Open
+https://www.oasis-open.org/standards;>Oasis Open
@@ -73,7 +73,7 @@
Charter
-http://wiki.apache.org/xalan;>Xalan Wiki
+https://wiki.apache.org/xalan;>Xalan Wiki
Projects
@@ -91,34 +91,34 @@
Mail Lists
-http://marc.info/?l=xalan-dev;>Developers
+https://marc.info/?l=xalan-dev;>Developers
-http://marc.info/?l=xalan-c-users;>C Users
+https://marc.info/?l=xalan-c-users;>C Users
-http://marc.info/?l=xalan-j-users;>J Users
+https://marc.info/?l=xalan-j-users;>J Users
Resources
-http://www.apache.org/;>Apache
+https://www.apache.org/;>Apache
-http://www.apache.org/foundation/getinvolved.html;>Get Involved
+https://www.apache.org/foundation/getinvolved.html;>Get Involved
-http://www.apache.org/licenses/;>Licenses
+https://www.apache.org/licenses/;>Licenses
-http://www.apache.org/foundation/sponsorship.html;>Sponsorship
+https://www.apache.org/foundation/sponsorship.html;>Sponsorship
-http://www.apache.org/foundation/thanks.html;>Thanks
+https://www.apache.org/foundation/thanks.html;>Thanks
-http://www.apache.org/security/;>Security
+Security
@@ -468,7 +468,7 @@
(top)
-Copyright © 1999-2014 The Apache Software FoundationApache, Xalan, and the Feather logo are trademarks of The Apache Software FoundationWeb Page created on - Fri 2014-05-16
+Copyright © 1999-2014 The Apache Software FoundationApache, Xalan, and the Feather logo are trademarks of The Apache Software FoundationWeb Page created on - Wed 2023-01-18
Index: docs/xalan/index.html
===
--- docs/xalan/index.html (revision 1906770)
+++ docs/xalan/index.html (working copy)
@@ -30,7 +30,7 @@
-http://xalan.apache.org/index.html;>
+https://xalan.apache.org/index.html;>
@@ -47,19 +47,19 @@
-http://www.apache.org;>Apache Foundation
+https://www.apache.org;>Apache Foundation
-http://xalan.apache.org;>Xalan Project
+https://xalan.apache.org;>Xalan Project
-http://xerces.apache.org;>Xerces Project
+https://xerces.apache.org;>Xerces Project
-http://www.w3.org/TR;>Web Consortium
+https://www.w3.org/TR;>Web Consortium
-http://www.oasis-open.org/standards;>Oasis Open
+https://www.oasis-open.org/standards;>Oasis Open
@@ -73,7 +73,7 @@
Charter
-http://wiki.apache.org/xalan;>Xalan Wiki
+https://wiki.apache.org/xalan;>Xalan Wiki
Projects
@@ -91,34 +91,34 @@
Mail Lists
-http://marc.info/?l=xalan-dev;>Developers
+https://marc.info/?l=xalan-dev;>Developers
-http://marc.info/?l=xalan-c-users;>C Users
+https://marc.info/?l=xalan-c-users;>C Users
-http://marc.info/?l=xalan-j-users;>J Users
+https://marc.info/?l=xalan-j-users;>J Users
Resources
-http://www.apache.org/;>Apache
+https://www.apache.org/;>Apache
-http://www.apache.org/foundation/getinvolved.html;>Get Involved
+https://www.apache.org/foundation/getinvolved.html;>Get Involved
-http://www.apache.org/licenses/;>Licenses
+https://www.apache.org/licenses/;>Licenses
-http://www.apache.org/foundation/sponsorship.html;>Sponsorship
+https://www.apache.org/foundation/sponsorship.html;>Sponsorship
-http://www.apache.org/foundation/thanks.html;>Thanks
+https://www.apache.org/foundation/thanks.html;>Thanks
-http://www.apache.org/security/;>Security
+Security
@@ -301,12 +301,23 @@
http://www.apache.org/foundation/getinvolved.html;>how to
participate in the various development efforts.
+
+
+(top)
+
+Security
+Xerces and Xalan do what the XML specs require by default. In some cases, this may not be appropriate behavior when working with untrusted input: the