|
20 | 20 | import org.verapdf.core.VeraPDFException; |
21 | 21 | import org.verapdf.core.utils.FileUtils; |
22 | 22 |
|
23 | | -import javax.xml.transform.Templates; |
24 | | -import javax.xml.transform.Transformer; |
25 | | -import javax.xml.transform.TransformerException; |
26 | | -import javax.xml.transform.TransformerFactory; |
| 23 | +import javax.xml.XMLConstants; |
| 24 | +import javax.xml.transform.*; |
27 | 25 | import javax.xml.transform.stream.StreamResult; |
28 | 26 | import javax.xml.transform.stream.StreamSource; |
29 | 27 | import java.io.*; |
30 | 28 | import java.util.Arrays; |
31 | 29 | import java.util.List; |
| 30 | +import java.util.logging.Level; |
| 31 | +import java.util.logging.Logger; |
32 | 32 |
|
33 | 33 | /** |
34 | 34 | * The veraPDF policy checker which is simply an abstraction that makes applying |
|
39 | 39 | * @version 0.1 Created 12 Dec 2016:17:51:12 |
40 | 40 | */ |
41 | 41 | public final class PolicyChecker { |
42 | | - private static final TransformerFactory factory = TransformerFactory.newInstance(); |
| 42 | + |
| 43 | + private static final Logger LOGGER = Logger.getLogger(PolicyChecker.class.getCanonicalName()); |
| 44 | + |
| 45 | + private static final TransformerFactory factory = getTransformerFactory(); |
43 | 46 | public static final String SCHEMA_EXT = "sch"; //$NON-NLS-1$ |
44 | 47 | public static final String XSL_EXT = "xsl"; //$NON-NLS-1$ |
45 | 48 | public static final String XSLT_EXT = "xslt"; //$NON-NLS-1$ |
@@ -204,4 +207,15 @@ private static void applySchematronXsl(final InputStream schematronXsl, final In |
204 | 207 | Transformer transformer = factory.newTransformer(new StreamSource(schematronXsl)); |
205 | 208 | transformer.transform(new StreamSource(xmlReport), new StreamResult(policyReport)); |
206 | 209 | } |
| 210 | + |
| 211 | + private static TransformerFactory getTransformerFactory() { |
| 212 | + TransformerFactory fact = TransformerFactory.newInstance(); |
| 213 | + try { |
| 214 | + fact.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); |
| 215 | + fact.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "file"); |
| 216 | + } catch (TransformerConfigurationException e) { |
| 217 | + LOGGER.log(Level.WARNING, "Unable to secure xsl transformer"); |
| 218 | + } |
| 219 | + return fact; |
| 220 | + } |
207 | 221 | } |
0 commit comments