Professional Internet Addict • Game Enthusiast • Tech Creator
Professional Internet Addict • Game Enthusiast • Tech Creator
Blog Tools Projects Socials Twitch YouTube Discord Support Squeaky

Preventing Java method calls from XSL using TransformerFactory

How to deny or disallow calling Java methods from an XSL using using TransformerFactory!
Home Blog Preventing Java method calls from XSL using TransformerFactory

Please note that this blog post was published on April 2011, so depending on when you read it, certain parts might be out of date. Unfortunately, I can't always keep these posts fully up to date to ensure the information remains accurate.

    When using the Java's TransformerFactory to XSL transform XML documents, the XSL document is allowed to call Java methods by default. This however could be a security issue when dealing with third party XSL documents.
    To disallow calling Java methods from the XSD, set the FEATURE_SECURE_PROCESSING feature on the factory:
    TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    This will result in an TransformerException when transforming the documents:
    Error: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true. Error during transformation javax.xml.transform.TransformerException: java.lang.RuntimeException: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.

    Written by Special Agent Squeaky. First published 2011-04-23. Last updated 2011-04-23.

    📺 Watch Squeaky's latest video!

    How to a Add Simple Real-Time Subtitles to Your Live Stream

    Terms of Service Blog Tools Projects Catch Me Live Support Squeaky Game Development Music Discord Twitter (X) Instagram YouTube Ko-fi Twitch

    This website uses Simple Analytics - a privacy-friendly, cookie-free analytics tool I trust. It helps me understand website visits without tracking.