FOP-3168: Add secure processing for XSL input

author Simon Steiner <ssteiner@apache.org>

Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)

committer Simon Steiner <ssteiner@apache.org>

Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)
author Simon Steiner <ssteiner@apache.org>
Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)
committer Simon Steiner <ssteiner@apache.org>
Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)
diff --git a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java

index 6d99bbe40f56cae0da6e99afda5d7051d3bdf3fb..fb72762e91b06f4c2e0a7e62179dc53fa60e5adb 100644 (file)
--- a/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
+++ b/fop-core/src/main/java/org/apache/fop/cli/InputHandler.java
@@ -26,6 +26,7 @@ import java.io.OutputStream;
  import java.lang.reflect.InvocationTargetException;
  import java.util.Vector;
  
+import javax.xml.XMLConstants;
  import javax.xml.parsers.ParserConfigurationException;
  import javax.xml.parsers.SAXParserFactory;
  import javax.xml.transform.ErrorListener;
@@ -265,6 +266,7 @@ public class InputHandler implements ErrorListener, Renderable {
          try {
              // Setup XSLT
              TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
              Transformer transformer;
  
              Source xsltSource = createXSLTSource();
author	Simon Steiner <ssteiner@apache.org>
	Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)
committer	Simon Steiner <ssteiner@apache.org>
	Tue, 5 Mar 2024 11:28:18 +0000 (11:28 +0000)