You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
XML parsers factories used should ensure setting attributes XMLConstants.ACCESS_EXTERNAL_SCHEMA, XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_STYLESHEET to "".
Nonetheless, users having the latest version of Xalan (2.7.2, released in 2014), or users having other libraries not supporting thoses attributes, would encounter an exception when this attribute is set. We should
either ensure we are using a TransformerFactory and a DocumentBuilderFactory supporting those attributes by discarding those who don't in the ServiceLoader? by forcing to use the jdk internal xalan?
or set those attributes anyway, log an explicit error message, and document how to exclude Xalan or others in the migration guide
Note that a new release of Xalan was "looked forward" by the project management committee a year ago, but does not seem to be very likely anymore as the community is not very active (see the corresponding board minutes).
Do you want to request a feature or report a bug?
Security vulnerability correction
What is the current behavior?
XML parsers factories can access external entities, see
DomUtil.java
fileWhat is the expected behavior?
XML parsers factories should not be granted external access
What is the motivation / use case for changing the behavior?
Quality gate passed / avoiding security vulnerability
The text was updated successfully, but these errors were encountered: