Houd er rekening mee dat deze blogpost in april 2011 is gepubliceerd. Afhankelijk van wanneer u hem leest, kunnen bepaalde delen dus verouderd zijn. Helaas kan ik deze berichten niet altijd volledig up-to-date houden om ervoor te zorgen dat de informatie accuraat blijft.
When using the Java's TransformerFactory to XSL transform XML documents, the XSL document is allowed to call Java methods by default. This however could be a security issue when dealing with third party XSL documents.
To disallow calling Java methods from the XSD, set the FEATURE_SECURE_PROCESSING feature on the factory:
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
This will result in an TransformerException when transforming the documents:
Error: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.
Error during transformation
javax.xml.transform.TransformerException: java.lang.RuntimeException: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.
