Re: Problems with missing properties accessExternalSchema accessExternalDTD in Xerces2

Mon, 15 Jan 2024 07:24:25 -0800 

Mon, 15 Jan 2024, /Martin/:
"Code that uses the JDK’s internal copy of the Xerces XML processor [might fail]. Such code should instead use a standalone copy of the Xerces library, available from Maven Central." 

https://openjdk.org/jeps/403



I'm just curious, what Xerces-specific classes are you using, are you 
using any?



The problem is that when including Xerces2 2.12.2 as a Maven dependency, 
two properties are not recognized, which are relevant for security (to 
prevent XXE attacks:


http://javax.xml.XMLConstants/property/accessExternalSchema

http://javax.xml.XMLConstants/property/accessExternalDTD



Fact is these are part of JAXP since Java 7 [1] and I think Xerces 
should support them to remain reasonably relevant implementation.



There is an open Jira topic to support these properties: 
https://issues.apache.org/jira/browse/XERCESJ-1654



This was created in 2015 and I am wondering what the current status is 
and what a suitable workaround might be to fulfill that requirement of 
JEP-403.



Not a general workaround but for code I develop I strive to implement 
specific external resource resolution and its configuration by means of 
setting up an explicit 'entityResolver' [2].  I don't find the 
accessExternalDTD/accessExternalSchema fail-fast behavior particularly 
handy for such use cases.



If you don't have control over the implementation and would only like to 
influence it via system configuration, maybe avoid including Xerces in 
your runtime, for the time being.


--
Stanimir


[1] 
https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD


https://docs.oracle.com/javase/7/docs/api/javax/xml/parsers/SAXParser.html#setProperty(java.lang.String,%20java.lang.Object)
    https://docs.oracle.com/javase/tutorial/jaxp/properties/
    https://docs.oracle.com/javase/tutorial/jaxp/properties/properties.html


[2] 
https://docs.oracle.com/en/java/javase/21/docs/api/java.xml/org/xml/sax/XMLReader.html#setEntityResolver(org.xml.sax.EntityResolver)


---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org























					Reply via email to