| <?xml version="1.0" standalone="no"?> |
| <!DOCTYPE s1 SYSTEM "../../style/dtd/document.dtd"> |
| <!-- |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| --> |
| <!-- $Id$ --> |
| <s1 title="What's new in &xslt4j2;"> |
| |
| <s2 title="What's new in &xslt4j-current;"> |
| <p> |
| Here's what new in &xslt4j-current;. |
| </p> |
| |
| <s3 title="Fix for CVE-2014-0107 insufficient secure processing"> |
| <p> |
| When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties: |
| </p> |
| <ul> |
| <li>{http://xml.apache.org/xalan}content-handler</li> |
| <li>{http://xml.apache.org/xalan}entities</li> |
| <li>{http://xml.apache.org/xslt}content-handler</li> |
| <li>{http://xml.apache.org/xslt}entities</li> |
| </ul> |
| <p> |
| should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops) |
| </p> |
| <p> |
| These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired. |
| </p> |
| <p> |
| <code> |
| <xsl:output xalan:content-handler="org.example.BadClass" ... |
| </code> |
| </p> |
| <p> |
| <code> |
| <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ... |
| </code> |
| </p> |
| <p> |
| These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc. |
| </p> |
| <p> |
| See <link anchor="https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</link>. |
| </p> |
| </s3> |
| |
| <s3 title="Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01"> |
| The distributions contain upgraded versions of <code>xercesImpl.jar</code> |
| (Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01). |
| </s3> |
| |
| <s3 title="Bug fixes"> |
| &xslt4j-current; contains performance enhancements and other bug fixes since 2.7.1. You can find the list |
| in <link idref="readme" anchor="notes_latest">the release notes</link>. |
| </s3> |
| |
| </s2> |
| |
| </s1> |