Uploaded image for project: 'Camel'
  1. Camel
  2. CAMEL-14501

gain fully control of xml parser used by saxon

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.1.0, 2.25.1
    • camel-xslt
    • None
    • Unknown

    Description

      currently we can configure TransformerFactory used by saxon by specifying features/attributes there. However, this can only take effect on an XML parser that Saxon creates. It has no effect if camel application creates the XML parser (that is, if the input is supplied to Saxon as a Source object)

      Per saxon community discussion here ,

      If you want detailed control over parsing, the best way is to create an XMLReader yourself and supply it to Saxon within a SAXSource object.
      

      So we need to saxonReaderProperties option to camel-xslt-saxon endpoint, if saxonReaderProperties isn't null, create a XMLReader and specify features on it, so that we can gain fully control of xml parsed used by saxon. This is important to prevent XXE attack when using saxon to do xslt transform. Like by disabling uri=http://xml.org/sax/features/external-general-entities" to not access sensitive local files.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ffang Freeman Yue Fang
            ffang Freeman Yue Fang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment