In jdk1.6, while I am setting
transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false)
I am facing the following error:
javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:418)
As with what I found in here : How to prevent xalan.jar that has META-INF\services\javax.xml.transform.TransformerFactory from taking over JDK 1.6 built in Xalan implementation? I cant make the changes suggested here as there will other API conflicts as reviewed by my admin.
And as per this link : http://xml.apache.org/xalan-j/features.html#domsource
You can use the TransformerFactory.setFeature(String, boolean)
method to set the value of a feature. Xalan-Java only supports setting of the XMLConstants.FEATURE_SECURE_PROCESSING
feature. For all other features, TransformerFactory exposes their values, but cannot change their states.
So it seems we can set only this feature if xalan implementation of TransormerFactory is used.
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Finally my Question: if we set feature:
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Then is the other feature (XMLConstants.ACCESS_EXTERNAL_DTD
) automatically set to false.
I got the above feature as "false" from the logs I set.
But I want to know for sure if the accessExternalDTD
feature will be set to false by default or if the secure-processing feature is set to true.
In Java 8 yes. If we set
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Then the attributes ACCESS_EXTERNAL_DTD
, ACCESS_EXTERNAL_STYLESHEET
are setting to ""
like the owasp guide recommends.
We can verify it with:
Object hasExternalDtd=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
Object hasExternalStyle=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET);
after setting the FEATURE_SECURE_PROCESSING
feature.
The default value if we don't set it is all
for both properties.