The issue there is when processing malicious XSLT.
We don't pass untrusted XSLT to it ?
Tom
On 15/08/2022 22:36, Brian Raymes wrote:
Seems like those dependencies need to be replaced due to vulnerabilities, as
the Apache Xalan project has been retired:
https://github.com/advisories/GHSA-9339
Well …
you might not, but a malicious attacker might.
I think the last few releases of BlazeDS, that I did in the past were reacting
to CVEs reported in the XML processing part of BlazeDS. Here, for example, a
malicious attacker could embed xml using xml-entities that referenced protected
resou
