5

I'm trying to use the updated version of Xalan (2.7.2) in secure mode and Having issue with it not able to understand unknown attributes. The problem is, it prevents you from using any stylesheet that emits XHTML (in secure processing mode) because it disallows things like “colspan” attributes of “th” elements.

The associated changed file is here: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h

See the following example:

import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;

public class XalanSecureAttributeRepro {
    private static final String XSL =
            "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
            "  <xsl:output method=\"html\"/>\n" +
            "  <xsl:template match=\"/*\">\n" +
            "    <th colspan=\"2\"/>\n" +
            "  </xsl:template>\n" +
            "</xsl:stylesheet>";

    public static void main( String[] args ) throws Exception {
        System.setProperty( "javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl" );

        TransformerFactory tf = TransformerFactory.newInstance();
        tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
        tf.setErrorListener( new DefaultErrorHandler( true ) );

        final Source source = new StreamSource( new StringReader( XSL ) );
        Templates templates = tf.newTemplates( source ); // throws:
                        // TransformerException: "colspan" attribute is not allowed on the th element!
    }
}

It returns this error:

Exception in thread "main" javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
    at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
    ... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
    at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
    at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
    at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
    at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
    at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
    at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
    ... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
    ... 22 more

Am I doing something wrong with the stylesheet or am I missing setting a feature on the transformer factory. How would you transform a stylesheet that emits (X)HTML in secure processing mode using Xalan?

Abel
  • 56,041
  • 24
  • 146
  • 247
kazvictor
  • 329
  • 1
  • 13
  • Your stylesheet looks fine. Why do you need to run the transformation in secure processing mode? – Mathias Müller Aug 13 '14 at 08:52
  • I need to run the transformation in secure processing mode because our software can process stylesheets from an unknown (untrusted) source and so we need many of the secure mode protections. – kazvictor Aug 13 '14 at 17:50
  • Why not run this particular stylesheet in the less secure, normal mode? You have written it, so you know what to expect. Why do you have to process all stylesheets in the same mode? – Mathias Müller Aug 13 '14 at 18:13
  • The above stylesheet is an example stylesheet used to demonstrate the issue. In our application we allow a user to transform xml with a stylesheet they provide. Therefore, we cannot trust this stylesheet and so need to run the transformation in secure processing mode. – kazvictor Aug 13 '14 at 21:41
  • I wonder if Xalan complains on unknown attributes only or just on any attribute as Abel suggests in his answer? If only on unknown, then can't you make them known with a modified document type definition or whatever? – Sergey Ushakov Aug 19 '14 at 00:55
  • This was fixed in Apache Servicemix Xalan version 2.7.2_3, but the bugfix was not released with Apache Xalan version 2.7.3 – JoshDM Jul 03 '23 at 21:38

2 Answers2

1

The offending line in the referred to version of the Xalan source is:

if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())

I'm not 100% sure what is in attrDef, but I would guess it's your attribute, which will never have the value of * (but from the documentation on XSLTAttributeDef, the value * is allowed, but I don't know how, as it is not a qname).

The documentation on secure processing only limits the amount of attributes on a single element, but the limit is high, 10,000.

The way I see it, you hit a bug of Xalan 2.7.1. It prevents you from using any attribute. If the limit is imposed because only known attributes can be used, it still seems to be a bug, because th is allowed to take colspan as an attribute in both HTML and XHTML. You might try, though, if you see the same behavior if you change your output from HTML to XML.

Abel
  • 56,041
  • 24
  • 146
  • 247
  • I just tried with xml as the output method with no luck. It's starting to look like a bug to me. It's not very usable if you can't use attributes. I've submitted this to the xalan mailing list and will update if I get a response. – kazvictor Aug 18 '14 at 22:40
  • @kazvictor Do you indeed get the same erroneous behaviour with any attribute, even when not creating an HTML root tag? Indeed a big bug it seems. Perhaps you can try an earlier built? – Abel Aug 19 '14 at 01:57
  • Yes it appears to be an issue for any attribute. The example stylesheet from above is just a minimal stylesheet that reproduces the issue. This looks like it was caused by this specific change, I believe it work in builds before it: [http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h](http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h) – kazvictor Aug 19 '14 at 18:03
  • 1
    An issue has been raised in the XalanJ project to track this bug: https://issues.apache.org/jira/browse/XALANJ-2591 – kazvictor Apr 24 '16 at 19:32
  • @Abel - don't you mean "a bug of Xalan 2.7.2"? – JoshDM Apr 01 '21 at 01:01
0

This is a bug that is resolved in the Apache Servicemix build of Xalan-2.7.2_3.

<dependency>
    <groupId>org.apache.servicemix.bundles</groupId>
    <artifactId>org.apache.servicemix.bundles.xalan</artifactId>
    <version>2.7.2_3</version><!--$NO-MVN-MAN-VER$-->
</dependency>

Use of <!--$NO-MVN-MAN-VER$--> prevents overrides.

NOTE Beware, this bugfix was NOT added to Apache Xalan-2.7.3

<!-- https://mvnrepository.com/artifact/xalan/xalan -->
<dependency>
    <groupId>xalan</groupId>
    <artifactId>xalan</artifactId>
    <version>2.7.3</version>
</dependency>
JoshDM
  • 4,939
  • 7
  • 43
  • 72