Trademark Logo Xalan XSL Transformer User's Guide
What's new in Xalan-Java 2
Apache Foundation Xalan Project Xerces Project Web Consortium Oasis Open

What's new in Xalan-Java 2

(top)

What's new in Xalan-Java Version 2.7.2

Here's what new in Xalan-Java Version 2.7.2.

(top)

Fix for CVE-2014-0107 insufficient secure processing

When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:

should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)

These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.

<xsl:output xalan:content-handler="org.example.BadClass" ...

<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...

These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.

See XALANJ-2435.

(top)

Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01

The distributions contain upgraded versions of xercesImpl.jar (Xerces-J 2.11.0) and xml-apis.jar (XML Commons External 1.4.01).

(top)

Bug fixes

Xalan-Java Version 2.7.2 contains performance enhancements and other bug fixes since 2.7.1. You can find the list in the release notes.

(top)