Bug #2051
closedSet the features and properties of the XMLParser
80%
Description
We hope to add ability to set the XMLParser specific features and properties from Saxon via the Saxon feature keys.
This bug/support feature stemmed from a user who requires the disabling of external entities resolving to avoid the XXE vulnerability (See: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) and specifically in Saxon-C.
This seems to be something which is required in web application, and in a web application the Java API (e.g. the s9api or JAXP API) is appropriate rather than the command line. When you use the API, you can instantiate an XMLReader yourself, set its configuration options, and then supply this to Saxon as the transformation source (e.g. in a SAXSource object).
There is no direct way to set the parser options in Saxon-C.
Please register to edit this issue