Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-14501

gain fully control of xml parser used by saxon

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.0, 2.25.1
    • Component/s: camel-xslt
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      currently we can configure TransformerFactory used by saxon by specifying features/attributes there. However, this can only take effect on an XML parser that Saxon creates. It has no effect if camel application creates the XML parser (that is, if the input is supplied to Saxon as a Source object)

      Per saxon community discussion here ,

      If you want detailed control over parsing, the best way is to create an XMLReader yourself and supply it to Saxon within a SAXSource object.
      

      So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if saxonReaderProperties isn't null, create a XMLReader and specify features on it, so that we can gain fully control of xml parsed used by saxon. This is important to prevent XXE attack when using saxon to do xslt transform. Like by disabling uri=http://xml.org/sax/features/external-general-entities" to not access sensitive local files.

        Attachments

          Activity

            People

            • Assignee:
              ffang Freeman Yue Fang
              Reporter:
              ffang Freeman Yue Fang
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: