Saxon

Hi,

According to http://www.saxonica.com/html/documentation/javadoc/net/sf/saxon/lib/FeatureKeys.html#XML_PARSER_FEATURE and http://docstore.mik.ua/orelly/xml/xmlnut/ch25_03.htm you should set value to false in following way:

factory.setAttribute("http://saxon.sf.net/feature/parserFeature?uri=http://xml.org/sax/features/external-parameter-entities", false);

Hope that helps.

Several points:

Firstly, I think the parser property you want to set is external-general-entities, not external-parameter-entities.

Secondly, the Saxon documentation is a little bit misleading. The property name that you pass to factory.setAttribute() should not contain the final "=" sign. But the colon should (I think) be escaped as %3A.

Finally, setting this property only affects settings on an XML parser that Saxon creates. It has no effect if your application creates the XML parser (that is, if the input is supplied to Saxon as a SAXSource object).

Thanks Michael and Maurisz. We are not using the xml parser that Saxon creates. The question is how to instruct the SaxonTransformerFactory.newTemplates(Source source) to not to resolve any external entities? The stylesheet is passed as a StreamSource to the newTemplates method.

By the way, I was able to disallow external functions via setAttribute for the same application.

       factory.setAttribute("http://saxon.sf.net/feature/allow-external-functions", false);

If you want detailed control over parsing, the best way is to create an XMLReader yourself and supply it to Saxon within a SAXSource object.

I was able to get this working by implementing a XMLReader and passing it to Saxon. Will run some more tests and confirm the behavior.