What's new in Xalan-Java 2
What's new in Xalan-Java Version 2.7.2
Here's what new in Xalan-Java Version 2.7.2.
Fix for CVE-2014-0107 insufficient secure processing
When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:
- {http://xml.apache.org/xalan}content-handler
- {http://xml.apache.org/xalan}entities
- {http://xml.apache.org/xslt}content-handler
- {http://xml.apache.org/xslt}entities
should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
<xsl:output xalan:content-handler="org.example.BadClass" ...
<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
See XALANJ-2435.
Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01
The distributions contain upgraded versions ofxercesImpl.jar
(Xerces-J 2.11.0) and xml-apis.jar
(XML Commons External 1.4.01).