In JAXP 1.3, the TransformerFactory.setFeature() method must support the secure processing feature. The following paragraph is taken from the javadocs of the TransformerFactory.setFeature() method:
All implementations are required to support the XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:
– true: the implementation will limit XML processing to conform to implementation limits and behave in a secure fashion as defined by the implementation. Examples include resolving user defined style sheets and functions. If XML processing is limited for security reasons, it will be reported via a call to the registered ErrorListener.fatalError(TransformerException exception). See setErrorListener(ErrorListener listener).
– false: the implementation will processing XML according to the XML specifications without regard to possible implementation limits.
Sun's contributed JAXP 1.3 implementation only exposes the feature. But it does not use the feature to limit the XML processing behavior. The proposed patch will implement the following restrictions when the secure processing feature is set to true:
1. use of extension elements and extension functions are disabled
2. the secure processing feature is also passed to all parsers created by the XSLT processor.