Bug #2051
closedSet the features and properties of the XMLParser
80%
Description
We hope to add ability to set the XMLParser specific features and properties from Saxon via the Saxon feature keys.
This bug/support feature stemmed from a user who requires the disabling of external entities resolving to avoid the XXE vulnerability (See: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) and specifically in Saxon-C.
This seems to be something which is required in web application, and in a web application the Java API (e.g. the s9api or JAXP API) is appropriate rather than the command line. When you use the API, you can instantiate an XMLReader yourself, set its configuration options, and then supply this to Saxon as the transformation source (e.g. in a SAXSource object).
There is no direct way to set the parser options in Saxon-C.
Updated by O'Neil Delpratt almost 10 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Added the the ability to set specific XML parser features and properties. We use the Saxon feature key mechanism. See the example below to set them:
and
Updated by Michael Kay almost 10 years ago
- Status changed from Resolved to In Progress
- % Done changed from 100 to 80
Resetting the status to "In Progress" as the patch is still being tested and has not yet been applied to 9.6.
Updated by Michael Kay over 9 years ago
- Status changed from In Progress to Resolved
- Fixed in version set to 9.6
I've reviewed this and it is indeed implemented in 9.6, and there are unit tests. I've changed the implementation so that parser properties of any type can be set, not only strings as before.
Updated by O'Neil Delpratt over 9 years ago
- Status changed from Resolved to Closed
This bug fix what out in the Saxon release 9.6.0.1
Please register to edit this issue