如何在Java中允许/拒绝来自XSL的特定Java方法调用?
[英]How do I allow/deny specific java method call from an XSL in Java?
问题描述
Main goal: I would like to control which classes and or methods that are allowed to be called when parsing an XSL-file via Java. 
主要目标:我想控制在通过Java解析XSL文件时允许调用哪些类和/或方法。
Using a TransformerFactory: 使用TransformerFactory:
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inXSL);
Transformer transformer = factory.newTransformer(xslStream);
...
transformer.transform(in, out);
It is possible to call Java-methods by having this is in the XSL-file: 可以通过在XSL文件中调用Java方法来实现:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:java="java">
...
<currentDay><xsl:value-of select="java:util.Date.new()" /></currentDate>
Meaning java:util.Date.net() is new Date().toString(). 含义java:util.Date.net()是新的Date()。toString()。
I know I can use: 我知道我可以使用:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
But that denies everything. 但这否认一切。
Two questions: 两个问题:
1) How do I control which specific Java-methods that are allowed to be called? 1)如何控制允许调用哪些特定的Java方法?
2) If it is not possible using TransformerFactory, what other XSL libraries can I use to control this? 2)如果无法使用TransformerFactory,可以使用其他哪些XSL库来控制它?
1 个解决方案
解决方案1
0 2011-08-18 09:08:33
It looks from your example as if you are using the Xalan XSLT processor (Java extensibility varies from one processor to another). 从您的示例中看,好像您正在使用Xalan XSLT处理器(Java的可扩展性因一个处理器而异)。
If you move to Saxon, then by default you will NOT be able to call arbitrary Java methods from your XSLT code, you will only be able to call extension functions that have been explicitly registered as "integrated extension functions". 如果转到Saxon,则默认情况下将无法从XSLT代码中调用任意Java方法,而只能调用已明确注册为“集成扩展功能”的扩展功能。 This seems to be what you are asking for. 这似乎是您要的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.