Is there any way to prevent system-property() function to access Java system properties other than setting http://saxon.sf.net/feature/allow-external-functions to false?

Added by Martin Honnen about 6 years ago

With the configuration http://saxon.sf.net/feature/allow-external-functions set to false one of the features switched off is

Use of the XSLT system-property() function to access Java system properties

Other features switched off are

Calls to reflexive Java extension functions
Use of a URI in the href attribute of an xsl:result-document instruction
Calls to XSLT extension instructions

When using Saxon HE neither reflexive extension functions nor XSLT extension instructions are relevant, however I would like to use Saxon HE on .NET (9.8 currently, in the future probably 9.9) to allow xsl:result-document with a href (as it seems I can control where the results end up using http://www.saxonica.com/html/documentation9.8/dotnetdoc/Saxon/Api/XsltTransformer.html#ResultDocumentHandler) but don't want Java system properties exposed to the system-property() function.

Is there any way to configure that? If not, I would like such a configuration feature to be added.

Replies (1)

RE: Is there any way to prevent system-property() function to access Java system properties other than setting http://saxon.sf.net/feature/allow-external-functions to false? - Added by Michael Kay about 6 years ago

There's no such mechanism currently, other than what Java itself provides via the SecurityManager

See for example https://stackoverflow.com/questions/5667118/changing-system-property-in-java-security-policy-file

I have no experience in using these mechanisms.

(1-1/1)

Please register to reply

Project

Profile

Help

Saxon