Project

Profile

Help

Support #4234

closed

Security assessment of SaxonEE 9.9

Added by Bhupender Rathee over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
2019-06-14
Due date:
% Done:

0%

Estimated time:
Legacy ID:
Applies to branch:
9.9, trunk
Fix Committed on Branch:
9.9
Fixed in Maintenance Release:
Platforms:

Description

Hello Team,

We are using commercial Saxon library (Saxon-EE version 9.9). We are directly getting the instances of “EnterpriseTransformerFactory”, “SchemaFactoryImpl” and “SchemaValidator”. As part of security practices to prevent attacks (like DTD attack, XML Schema attacks, XPath injection etc) there are quite a few properties we need to set to some or many of these classes.

Our question is, does Saxonica internally set these properties? For example to prevent DTD attacks we set TransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); Does these settings already considered in your APIs? Or consumers have to manage themselves? If Yes, can we get some report or info from the website of default settings?

Thanks Bhupender

Please register to edit this issue

Also available in: Atom PDF