请注意,本博文发布于2011年4月,因此根据您阅读的时间,某些部分可能已过时。遗憾的是,我无法始终保持这些文章的完全更新,以确保信息的准确性。
When using the Java's TransformerFactory to XSL transform XML documents, the XSL document is allowed to call Java methods by default. This however could be a security issue when dealing with third party XSL documents.
To disallow calling Java methods from the XSD, set the FEATURE_SECURE_PROCESSING feature on the factory:
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
This will result in an TransformerException when transforming the documents:
Error: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.
Error during transformation
javax.xml.transform.TransformerException: java.lang.RuntimeException: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.
