Set the features and properties of the XMLParser
We hope to add ability to set the XMLParser specific features and properties from Saxon via the Saxon feature keys.
This bug/support feature stemmed from a user who requires the disabling of external entities resolving to avoid the XXE vulnerability (See: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) and specifically in Saxon-C.
This seems to be something which is required in web application, and in a web application the Java API (e.g. the s9api or JAXP API) is appropriate rather than the command line. When you use the API, you can instantiate an XMLReader yourself, set its configuration options, and then supply this to Saxon as the transformation source (e.g. in a SAXSource object).
There is no direct way to set the parser options in Saxon-C.
#1 Updated by O'Neil Delpratt over 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Added the the ability to set specific XML parser features and properties. We use the Saxon feature key mechanism. See the example below to set them:
#3 Updated by Michael Kay over 2 years ago
- Status changed from In Progress to Resolved
- Fixed in version set to 9.6
I've reviewed this and it is indeed implemented in 9.6, and there are unit tests. I've changed the implementation so that parser properties of any type can be set, not only strings as before.