| <?xml version="1.0" encoding="UTF-8" standalone="no"?> |
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> |
| <html> |
| <head> |
| <title>ASF: What's new in Xalan-Java 2</title> |
| <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> |
| <meta http-equiv="Content-Style-Type" content="text/css" /> |
| <link rel="stylesheet" type="text/css" href="resources/apache-xalan.css" /> |
| </head> |
| <!-- |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| --> |
| <body> |
| <div id="title"> |
| <table class="HdrTitle"> |
| <tbody> |
| <tr> |
| <th rowspan="2"> |
| <a href="../index.html"> |
| <img alt="Trademark Logo" src="resources/XalanJ-Logo-tm.png" width="190" height="90" /> |
| </a> |
| </th> |
| <th text-align="center" width="75%"> |
| <a href="index.html">Xalan XSL Transformer User's Guide</a> |
| </th> |
| </tr> |
| <tr> |
| <td valign="middle">What's new in Xalan-Java 2</td> |
| </tr> |
| </tbody> |
| </table> |
| <table class="HdrButtons" align="center" border="1"> |
| <tbody> |
| <tr> |
| <td> |
| <a href="http://www.apache.org">Apache Foundation</a> |
| </td> |
| <td> |
| <a href="http://xalan.apache.org">Xalan Project</a> |
| </td> |
| <td> |
| <a href="http://xerces.apache.org">Xerces Project</a> |
| </td> |
| <td> |
| <a href="http://www.w3.org/TR">Web Consortium</a> |
| </td> |
| <td> |
| <a href="http://www.oasis-open.org/standards">Oasis Open</a> |
| </td> |
| </tr> |
| </tbody> |
| </table> |
| </div> |
| <div id="navLeft"> |
| <ul> |
| <li> |
| <a href="resources.html">Resources</a> |
| <br /> |
| </li> |
| <li> |
| <a href="http://xalan.apache.org/index.html">Home</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="index.html">Xalan-J 2.7.2</a> |
| </li> |
| <li> |
| <a href="charter.html">Charter</a> |
| </li></ul><hr /><ul> |
| <li>What's New<br /> |
| </li> |
| <li> |
| <a href="readme.html">Release Notes</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="overview.html">Overview</a> |
| </li> |
| <li> |
| <a href="downloads.html">Download/Build</a> |
| </li> |
| <li> |
| <a href="getstarted.html">Getting Started</a> |
| </li> |
| <li> |
| <a href="xsltc_usage.html">Using XSLTC</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="faq.html">FAQs</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="samples.html">Sample Apps</a> |
| </li> |
| <li> |
| <a href="commandline.html">Command Line</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="features.html">Features</a> |
| </li> |
| <li> |
| <a href="trax.html">Transform API</a> |
| </li> |
| <li> |
| <a href="xpath_apis.html">XPath API</a> |
| </li> |
| <li> |
| <a href="usagepatterns.html">Usage Patterns</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="apidocs/index.html">Xalan-J API</a> |
| </li> |
| <li> |
| <a href="public_apis.html">Public APIs</a> |
| </li> |
| <li> |
| <a href="dtm.html">DTM</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="extensions.html">Extensions</a> |
| </li> |
| <li> |
| <a href="extensionslib.html">Extensions Library</a> |
| </li> |
| <li> |
| <a href="extensions_xsltc.html">XSLTC Exts</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="design/design2_0_0.html">Xalan 2 Design</a> |
| </li> |
| <li> |
| <a href="xsltc/index.html">XSLTC Design</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="builds.html">Building a release</a> |
| </li> |
| <li> |
| <a href="http://xml.apache.org/xalan-j/test/overview.html">Testing</a> |
| </li> |
| <li> |
| <a href="bugreporting.html">Bug Reporting</a> |
| </li></ul><hr /><ul> |
| <li> |
| <a href="contact_us.html">Contact us</a> |
| </li> |
| </ul> |
| </div> |
| <div id="content"> |
| <h2>What's new in Xalan-Java 2</h2> |
| |
| <p align="right" size="2"> |
| <a href="#content">(top)</a> |
| </p> |
| <h3>What's new in Xalan-Java Version 2.7.2</h3> |
| <p> |
| Here's what new in Xalan-Java Version 2.7.2. |
| </p> |
| |
| <p align="right" size="2"> |
| <a href="#content">(top)</a> |
| </p> |
| <h4>Fix for CVE-2014-0107 insufficient secure processing</h4> |
| <p> |
| When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties: |
| </p> |
| <ul> |
| <li>{http://xml.apache.org/xalan}content-handler</li> |
| <li>{http://xml.apache.org/xalan}entities</li> |
| <li>{http://xml.apache.org/xslt}content-handler</li> |
| <li>{http://xml.apache.org/xslt}entities</li> |
| </ul> |
| <p> |
| should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops) |
| </p> |
| <p> |
| These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired. |
| </p> |
| <p> |
| <code> |
| <xsl:output xalan:content-handler="org.example.BadClass" ... |
| </code> |
| </p> |
| <p> |
| <code> |
| <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ... |
| </code> |
| </p> |
| <p> |
| These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc. |
| </p> |
| <p> |
| See <a href="#https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</a>. |
| </p> |
| |
| |
| <p align="right" size="2"> |
| <a href="#content">(top)</a> |
| </p> |
| <h4>Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01</h4> |
| The distributions contain upgraded versions of <code>xercesImpl.jar</code> |
| (Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01). |
| |
| |
| <p align="right" size="2"> |
| <a href="#content">(top)</a> |
| </p> |
| <h4>Bug fixes</h4> |
| Xalan-Java Version 2.7.2 contains performance enhancements and other bug fixes since 2.7.1. You can find the list |
| in <a href="readme.html#notes_latest">the release notes</a>. |
| |
| |
| |
| |
| <p align="right" size="2"> |
| <a href="#content">(top)</a> |
| </p> |
| </div> |
| <div id="footer">Copyright © 1999-2014 The Apache Software Foundation<br />Apache, Xalan, and the Feather logo are trademarks of The Apache Software Foundation<div class="small">Web Page created on - Thu 2014-05-15</div> |
| </div> |
| </body> |
| </html> |