'[jira] [Updated] (XALANJ-2591) Transform XSLT using Xalan into XHTML fails with secure processing fe'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xalan-dev
Subject:    [jira] [Updated] (XALANJ-2591) Transform XSLT using Xalan into XHTML fails with secure processing fe
From:       "Tadayoshi Sato (JIRA)" <jira () apache ! org>
Date:       2016-02-12 8:44:18
Message-ID: JIRA.12734879.1408402858000.35371.1455266658103 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/XALANJ-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Tadayoshi Sato updated XALANJ-2591:
-----------------------------------
    Attachment: xalan-test.zip

Another reproducer {{xalan-test.zip}} attached. Run the following commands:
{code}
$ cd xalan-test/
$ mvn clean test
{code}
and you'll see the test fails.

> Transform XSLT using Xalan into XHTML fails with secure processing feature when \
>                 using attributes
> ------------------------------------------------------------------------------------------------
>  
> Key: XALANJ-2591
> URL: https://issues.apache.org/jira/browse/XALANJ-2591
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in Xalan \
>                 projects.  Anybody can view the issue.) 
> Components: transformation, Xalan
> Affects Versions: 2.7.2
> Reporter: Victor Kazakov
> Assignee: Steven J. Hathaway
> Attachments: XSLTElementProcessor.patch, xalan-test.zip
> 
> 
> I'm trying to use the updated version of Xalan (2.7.2) in secure mode and having \
> issue with it not able to understand unknown attributes. The problem is, it \
> prevents you from using any stylesheet that emits XHTML (in secure processing mode) \
> because it disallows things like "colspan" attributes of "th" elements. The \
> associated changed file is here: \
> http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/ \
> xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
>  See the following example:
> {code:java}
> import javax.xml.XMLConstants;
> import javax.xml.transform.*;
> import javax.xml.transform.stream.StreamSource;
> import java.io.StringReader;
> public class XalanSecureAttributeRepro {
> private static final String XSL =
> "<xsl:stylesheet version=\"1.0\" \
> xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" + "  <xsl:output \
> method=\"html\"/>\n" + "  <xsl:template match=\"/*\">\n" +
> "    <th colspan=\"2\"/>\n" +
> "  </xsl:template>\n" +
> "</xsl:stylesheet>";
> public static void main( String[] args ) throws Exception {
> System.setProperty( "javax.xml.transform.TransformerFactory", \
> "org.apache.xalan.processor.TransformerFactoryImpl" ); TransformerFactory tf = \
> TransformerFactory.newInstance(); tf.setFeature( \
> XMLConstants.FEATURE_SECURE_PROCESSING, true); tf.setErrorListener( new \
> DefaultErrorHandler( true ) ); final Source source = new StreamSource( new \
> StringReader( XSL ) ); Templates templates = tf.newTemplates( source ); // throws:
> // TransformerException: "colspan" attribute is not allowed on the th element!
> }
> }
> {code}
> It returns this error:
> {code}
> Exception in thread "main" javax.xml.transform.TransformerConfigurationException: \
> javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" \
>                 attribute is not allowed on the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the \
> th element! at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
>  at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at java.lang.reflect.Method.invoke(Method.java:606)
> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
> Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: \
>                 "colspan" attribute is not allowed on the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the \
> th element! at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
>                 
> ... 6 more
> Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th \
>                 element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the \
> th element! at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
>  at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
> at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
>  at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
>  at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
> at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
>  at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
> at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
> at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown \
> Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown \
> Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
> at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
>                 
> ... 6 more
> Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not \
> allowed on the th element! at \
>                 org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
>                 
> ... 22 more
> {code}
> This worked properly in 2.7.1
> Am I missing setting a feature on the transformer factory. How would you transform \
> a stylesheet that emits (X)HTML in secure processing mode using Xalan?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic