Re: [xsl] Saxon vulnerability

> the original posting you had did use parse-xml with an external entity,
> I am not sure why you now bring up unparsed-text

Eek, that was a typo.  I meant parse-xml.

Sorry Martin, but may I ask of you one more time to review this for accuracy:

SAXON has a configuration property allowedProtocols that can be set to
"https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI
access should fail (i.e., access to the file should be blocked). However, when
allowedProtocols is set, SAXON fails to block file access when the string
given to parse-xml() contains a user-defined entity--via an ENTITY declaration
(in a DOCTYPE or in a DTD)--and the entity references a file.

Workaround: prevent parse-xml() from doing any DTD/DOCTYPE access; disable
DTD/DOCTYPE (https://saxonica.plan.io/issues/6711#note-12)

Current Thread
Re: [xsl] Saxon vulnerability, (continued) Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 13:50:39 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 14:19:09 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 14:50:09 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:00:50 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 15:23:13 -0000 <= Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:43:28 -0000 Liam R. E. Quin liam@xxxxxxxxxxxxxxxx - 8 Mar 2025 20:17:52 -0000

Current Thread

Re: [xsl] Saxon vulnerability, (continued)

<- Previous	Index	Next ->
Re: [xsl] Saxon vulnerability, Martin Honnen martin	Thread	Re: [xsl] Saxon vulnerability, Martin Honnen martin
Re: [xsl] Saxon vulnerability, Martin Honnen martin	Date	Re: [xsl] Saxon vulnerability, Martin Honnen martin
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home