[ http://issues.apache.org/jira/browse/XALANJ-2136?page=all ] Morris Kwan closed XALANJ-2136: -------------------------------
> JAXP 1.3: support the secure processing feature > ----------------------------------------------- > > Key: XALANJ-2136 > URL: http://issues.apache.org/jira/browse/XALANJ-2136 > Project: XalanJ2 > Type: Bug > Components: JAXP > Versions: Latest Development Code > Reporter: Morris Kwan > Assignee: Morris Kwan > Fix For: 2.7 > Attachments: secure_processing_feature_xalan.patch, > secure_processing_feature_xsltc.patch > > In JAXP 1.3, the TransformerFactory.setFeature() method must support the > secure processing feature. The following paragraph is taken from the javadocs > of the TransformerFactory.setFeature() method: > All implementations are required to support the > XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is: > -- true: the implementation will limit XML processing to conform to > implementation limits and behave in a secure fashion as defined by the > implementation. Examples include resolving user defined style sheets and > functions. If XML processing is limited for security reasons, it will be > reported via a call to the registered > ErrorListener.fatalError(TransformerException exception). See > setErrorListener(ErrorListener listener). > -- false: the implementation will processing XML according to the XML > specifications without regard to possible implementation limits. > Sun's contributed JAXP 1.3 implementation only exposes the feature. But it > does not use the feature to limit the XML processing behavior. The proposed > patch will implement the following restrictions when the secure processing > feature is set to true: > 1. use of extension elements and extension functions are disabled > 2. the secure processing feature is also passed to all parsers created by the > XSLT processor. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
