How do I allow/deny specific java method call from an XSL in Java?
Question
Main goal: I would like to control which classes and or methods that are allowed to be called when parsing an XSL-file via Java.
Using a TransformerFactory:
TransformerFactory factory = TransformerFactory.newInstance();
StreamSource xslStream = new StreamSource(inXSL);
Transformer transformer = factory.newTransformer(xslStream);
...
transformer.transform(in, out);
It is possible to call Java-methods by having this is in the XSL-file:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:java="java">
...
<currentDay><xsl:value-of select="java:util.Date.new()" /></currentDate>
Meaning java:util.Date.net() is new Date().toString().
I know I can use:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
But that denies everything.
Two questions:
1) How do I control which specific Java-methods that are allowed to be called?
2) If it is not possible using TransformerFactory, what other XSL libraries can I use to control this?
1 answers
solution1
0 2011-08-18 09:08:33
It looks from your example as if you are using the Xalan XSLT processor (Java extensibility varies from one processor to another).
If you move to Saxon, then by default you will NOT be able to call arbitrary Java methods from your XSLT code, you will only be able to call extension functions that have been explicitly registered as "integrated extension functions". This seems to be what you are asking for.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.