xdocs/sources/xalan/whatsnew.xml - xalan-java - Git at Google

 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE s1 SYSTEM "../../style/dtd/document.dtd">
 <!--
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
 -->
 <!-- $Id$ -->
 <s1 title="What's new in &xslt4j2;">

   <s2 title="What's new in &xslt4j-current;">
     <p>
       Here's what new in &xslt4j-current;.
     </p>

     <s3 title="Fix for CVE-2014-0107 insufficient secure processing">
       <p>
         When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:
       </p>
       <ul>
         <li>{http://xml.apache.org/xalan}content-handler</li>
         <li>{http://xml.apache.org/xalan}entities</li>
         <li>{http://xml.apache.org/xslt}content-handler</li>
         <li>{http://xml.apache.org/xslt}entities</li>
       </ul>
       <p>
         should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
       </p>
       <p>
         These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
       </p>
       <p>
         <code>
           &lt;xsl:output xalan:content-handler="org.example.BadClass" ...
         </code>
       </p>
       <p>
         <code>
           &lt;xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
         </code>
       </p>
       <p>
         These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
       </p>
       <p>
         See <link anchor="https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</link>.
       </p>
     </s3>

     <s3 title="Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01">
       The distributions contain upgraded versions of <code>xercesImpl.jar</code>
       (Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01).
     </s3>

     <s3 title="Bug fixes">
       &xslt4j-current; contains performance enhancements and other bug fixes since 2.7.1. You can find the list
       in <link idref="readme" anchor="notes_latest">the release notes</link>.
     </s3>

   </s2>

 </s1>
	<?xml version="1.0" standalone="no"?>
	<!DOCTYPE s1 SYSTEM "../../style/dtd/document.dtd">
	<!--
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	-->
	<!-- $Id$ -->
	<s1 title="What's new in &xslt4j2;">

	<s2 title="What's new in &xslt4j-current;">
	<p>
	Here's what new in &xslt4j-current;.
	</p>

	<s3 title="Fix for CVE-2014-0107 insufficient secure processing">
	<p>
	When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:
	</p>
	<ul>
	<li>{http://xml.apache.org/xalan}content-handler</li>
	<li>{http://xml.apache.org/xalan}entities</li>
	<li>{http://xml.apache.org/xslt}content-handler</li>
	<li>{http://xml.apache.org/xslt}entities</li>
	</ul>
	<p>
	should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
	</p>
	<p>
	These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
	</p>
	<p>
	<code>
	<xsl:output xalan:content-handler="org.example.BadClass" ...
	</code>
	</p>
	<p>
	<code>
	<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
	</code>
	</p>
	<p>
	These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
	</p>
	<p>
	See <link anchor="https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</link>.
	</p>
	</s3>

	<s3 title="Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01">
	The distributions contain upgraded versions of <code>xercesImpl.jar</code>
	(Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01).
	</s3>

	<s3 title="Bug fixes">
	&xslt4j-current; contains performance enhancements and other bug fixes since 2.7.1. You can find the list
	in <link idref="readme" anchor="notes_latest">the release notes</link>.
	</s3>

	</s2>

	</s1>