docs/xalan/xalan-j/whatsnew.html - xalan-site - Git at Google

 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html>
 <head>
 <title>ASF: What's new in Xalan-Java 2</title>
 <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
 <meta http-equiv="Content-Style-Type" content="text/css" />
 <link rel="stylesheet" type="text/css" href="resources/apache-xalan.css" />
 </head>
 <!--
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the  "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  -->
 <body>
 <div id="title">
 <table class="HdrTitle">
 <tbody>
 <tr>
 <th rowspan="2">
 <a href="../index.html">
 <img alt="Trademark Logo" src="resources/XalanJ-Logo-tm.png" width="190" height="90" />
 </a>
 </th>
 <th text-align="center" width="75%">
 <a href="index.html">Xalan XSL Transformer User's Guide</a>
 </th>
 </tr>
 <tr>
 <td valign="middle">What's new in Xalan-Java 2</td>
 </tr>
 </tbody>
 </table>
 <table class="HdrButtons" align="center" border="1">
 <tbody>
 <tr>
 <td>
 <a href="http://www.apache.org">Apache Foundation</a>
 </td>
 <td>
 <a href="http://xalan.apache.org">Xalan Project</a>
 </td>
 <td>
 <a href="http://xerces.apache.org">Xerces Project</a>
 </td>
 <td>
 <a href="http://www.w3.org/TR">Web Consortium</a>
 </td>
 <td>
 <a href="http://www.oasis-open.org/standards">Oasis Open</a>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 <div id="navLeft">
 <ul>
 <li>
 <a href="resources.html">Resources</a>
 <br />
 </li>
 <li>
 <a href="http://xalan.apache.org/index.html">Home</a>
 </li></ul><hr /><ul>
 <li>
 <a href="index.html">Xalan-J 2.7.2</a>
 </li>
 <li>
 <a href="charter.html">Charter</a>
 </li></ul><hr /><ul>
 <li>What's New<br />
 </li>
 <li>
 <a href="readme.html">Release Notes</a>
 </li></ul><hr /><ul>
 <li>
 <a href="overview.html">Overview</a>
 </li>
 <li>
 <a href="downloads.html">Download/Build</a>
 </li>
 <li>
 <a href="getstarted.html">Getting Started</a>
 </li>
 <li>
 <a href="xsltc_usage.html">Using XSLTC</a>
 </li></ul><hr /><ul>
 <li>
 <a href="faq.html">FAQs</a>
 </li></ul><hr /><ul>
 <li>
 <a href="samples.html">Sample Apps</a>
 </li>
 <li>
 <a href="commandline.html">Command Line</a>
 </li></ul><hr /><ul>
 <li>
 <a href="features.html">Features</a>
 </li>
 <li>
 <a href="trax.html">Transform API</a>
 </li>
 <li>
 <a href="xpath_apis.html">XPath API</a>
 </li>
 <li>
 <a href="usagepatterns.html">Usage Patterns</a>
 </li></ul><hr /><ul>
 <li>
 <a href="apidocs/index.html">Xalan-J API</a>
 </li>
 <li>
 <a href="public_apis.html">Public APIs</a>
 </li>
 <li>
 <a href="dtm.html">DTM</a>
 </li></ul><hr /><ul>
 <li>
 <a href="extensions.html">Extensions</a>
 </li>
 <li>
 <a href="extensionslib.html">Extensions Library</a>
 </li>
 <li>
 <a href="extensions_xsltc.html">XSLTC Exts</a>
 </li></ul><hr /><ul>
 <li>
 <a href="design/design2_0_0.html">Xalan 2 Design</a>
 </li>
 <li>
 <a href="xsltc/index.html">XSLTC Design</a>
 </li></ul><hr /><ul>
 <li>
 <a href="builds.html">Building a release</a>
 </li>
 <li>
 <a href="http://xml.apache.org/xalan-j/test/overview.html">Testing</a>
 </li>
 <li>
 <a href="bugreporting.html">Bug Reporting</a>
 </li></ul><hr /><ul>
 <li>
 <a href="contact_us.html">Contact us</a>
 </li>
 </ul>
 </div>
 <div id="content">
 <h2>What's new in Xalan-Java 2</h2>

   <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 <h3>What's new in Xalan-Java Version 2.7.2</h3>
     <p>
       Here's what new in Xalan-Java Version 2.7.2.
     </p>

     <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 <h4>Fix for CVE-2014-0107 insufficient secure processing</h4>
       <p>
         When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:
       </p>
       <ul>
         <li>{http://xml.apache.org/xalan}content-handler</li>
         <li>{http://xml.apache.org/xalan}entities</li>
         <li>{http://xml.apache.org/xslt}content-handler</li>
         <li>{http://xml.apache.org/xslt}entities</li>
       </ul>
       <p>
         should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
       </p>
       <p>
         These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
       </p>
       <p>
         <code>
           &lt;xsl:output xalan:content-handler="org.example.BadClass" ...
         </code>
       </p>
       <p>
         <code>
           &lt;xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
         </code>
       </p>
       <p>
         These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
       </p>
       <p>
         See <a href="#https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</a>.
       </p>


     <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 <h4>Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01</h4>
       The distributions contain upgraded versions of <code>xercesImpl.jar</code>
       (Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01).


     <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 <h4>Bug fixes</h4>
       Xalan-Java Version 2.7.2 contains performance enhancements and other bug fixes since 2.7.1. You can find the list
       in <a href="readme.html#notes_latest">the release notes</a>.


 <p align="right" size="2">
 <a href="#content">(top)</a>
 </p>
 </div>
 <div id="footer">Copyright © 1999-2014 The Apache Software Foundation<br />Apache, Xalan, and the Feather logo are trademarks of The Apache Software Foundation<div class="small">Web Page created on - Thu 2014-05-15</div>
 </div>
 </body>
 </html>
	<?xml version="1.0" encoding="UTF-8" standalone="no"?>
	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	<html>
	<head>
	<title>ASF: What's new in Xalan-Java 2</title>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
	<meta http-equiv="Content-Style-Type" content="text/css" />
	<link rel="stylesheet" type="text/css" href="resources/apache-xalan.css" />
	</head>
	<!--
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	-->
	<body>
	<div id="title">
	<table class="HdrTitle">
	<tbody>
	<tr>
	<th rowspan="2">
	<a href="../index.html">
	<img alt="Trademark Logo" src="resources/XalanJ-Logo-tm.png" width="190" height="90" />
	</a>
	</th>
	<th text-align="center" width="75%">
	<a href="index.html">Xalan XSL Transformer User's Guide</a>
	</th>
	</tr>
	<tr>
	<td valign="middle">What's new in Xalan-Java 2</td>
	</tr>
	</tbody>
	</table>
	<table class="HdrButtons" align="center" border="1">
	<tbody>
	<tr>
	<td>
	<a href="http://www.apache.org">Apache Foundation</a>
	</td>
	<td>
	<a href="http://xalan.apache.org">Xalan Project</a>
	</td>
	<td>
	<a href="http://xerces.apache.org">Xerces Project</a>
	</td>
	<td>
	<a href="http://www.w3.org/TR">Web Consortium</a>
	</td>
	<td>
	<a href="http://www.oasis-open.org/standards">Oasis Open</a>
	</td>
	</tr>
	</tbody>
	</table>
	</div>
	<div id="navLeft">
	<ul>
	<li>
	<a href="resources.html">Resources</a>
	<br />
	</li>
	<li>
	<a href="http://xalan.apache.org/index.html">Home</a>
	</li></ul><hr /><ul>
	<li>
	<a href="index.html">Xalan-J 2.7.2</a>
	</li>
	<li>
	<a href="charter.html">Charter</a>
	</li></ul><hr /><ul>
	<li>What's New<br />
	</li>
	<li>
	<a href="readme.html">Release Notes</a>
	</li></ul><hr /><ul>
	<li>
	<a href="overview.html">Overview</a>
	</li>
	<li>
	<a href="downloads.html">Download/Build</a>
	</li>
	<li>
	<a href="getstarted.html">Getting Started</a>
	</li>
	<li>
	<a href="xsltc_usage.html">Using XSLTC</a>
	</li></ul><hr /><ul>
	<li>
	<a href="faq.html">FAQs</a>
	</li></ul><hr /><ul>
	<li>
	<a href="samples.html">Sample Apps</a>
	</li>
	<li>
	<a href="commandline.html">Command Line</a>
	</li></ul><hr /><ul>
	<li>
	<a href="features.html">Features</a>
	</li>
	<li>
	<a href="trax.html">Transform API</a>
	</li>
	<li>
	<a href="xpath_apis.html">XPath API</a>
	</li>
	<li>
	<a href="usagepatterns.html">Usage Patterns</a>
	</li></ul><hr /><ul>
	<li>
	<a href="apidocs/index.html">Xalan-J API</a>
	</li>
	<li>
	<a href="public_apis.html">Public APIs</a>
	</li>
	<li>
	<a href="dtm.html">DTM</a>
	</li></ul><hr /><ul>
	<li>
	<a href="extensions.html">Extensions</a>
	</li>
	<li>
	<a href="extensionslib.html">Extensions Library</a>
	</li>
	<li>
	<a href="extensions_xsltc.html">XSLTC Exts</a>
	</li></ul><hr /><ul>
	<li>
	<a href="design/design2_0_0.html">Xalan 2 Design</a>
	</li>
	<li>
	<a href="xsltc/index.html">XSLTC Design</a>
	</li></ul><hr /><ul>
	<li>
	<a href="builds.html">Building a release</a>
	</li>
	<li>
	<a href="http://xml.apache.org/xalan-j/test/overview.html">Testing</a>
	</li>
	<li>
	<a href="bugreporting.html">Bug Reporting</a>
	</li></ul><hr /><ul>
	<li>
	<a href="contact_us.html">Contact us</a>
	</li>
	</ul>
	</div>
	<div id="content">
	<h2>What's new in Xalan-Java 2</h2>

	<p align="right" size="2">
	<a href="#content">(top)</a>
	</p>
	<h3>What's new in Xalan-Java Version 2.7.2</h3>
	<p>
	Here's what new in Xalan-Java Version 2.7.2.
	</p>

	<p align="right" size="2">
	<a href="#content">(top)</a>
	</p>
	<h4>Fix for CVE-2014-0107 insufficient secure processing</h4>
	<p>
	When using FEATURE_SECURE_PROCESSING ("http://javax.xml.XMLConstants/feature/secure-processing") on a TransformerFactory, the output properties:
	</p>
	<ul>
	<li>{http://xml.apache.org/xalan}content-handler</li>
	<li>{http://xml.apache.org/xalan}entities</li>
	<li>{http://xml.apache.org/xslt}content-handler</li>
	<li>{http://xml.apache.org/xslt}entities</li>
	</ul>
	<p>
	should be ignored (see http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
	</p>
	<p>
	These properties can be used to load an arbitrary class or access an arbitrary URL/resource so are problematic when secure processing is desired.
	</p>
	<p>
	<code>
	<xsl:output xalan:content-handler="org.example.BadClass" ...
	</code>
	</p>
	<p>
	<code>
	<xsl:output xalan:entities="http://example.org/reallyLargeFile.bin" ...
	</code>
	</p>
	<p>
	These features could be used to load a class that had undesirable side-effects or to load a large file and exhaust memory, etc.
	</p>
	<p>
	See <a href="#https://issues.apache.org/jira/browse/XALANJ-2435">XALANJ-2435</a>.
	</p>


	<p align="right" size="2">
	<a href="#content">(top)</a>
	</p>
	<h4>Upgrade to Xerces-J 2.11.0 and XML Commons External 1.4.01</h4>
	The distributions contain upgraded versions of <code>xercesImpl.jar</code>
	(Xerces-J 2.11.0) and <code>xml-apis.jar</code> (XML Commons External 1.4.01).


	<p align="right" size="2">
	<a href="#content">(top)</a>
	</p>
	<h4>Bug fixes</h4>
	Xalan-Java Version 2.7.2 contains performance enhancements and other bug fixes since 2.7.1. You can find the list
	in <a href="readme.html#notes_latest">the release notes</a>.




	<p align="right" size="2">
	<a href="#content">(top)</a>
	</p>
	</div>
	<div id="footer">Copyright © 1999-2014 The Apache Software Foundation<br />Apache, Xalan, and the Feather logo are trademarks of The Apache Software Foundation<div class="small">Web Page created on - Thu 2014-05-15</div>
	</div>
	</body>
	</html>