How to provide a utility on XSLT while maintaining security

Question

I would like the ability to provide an escape utility that can be used in an XSL Stylesheet. For example:

<xsl:stylesheet version="2.0"
   xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
   xmlns:xs="http://www.w3.org/2001/XMLSchema" 
   xmlns:xalan="http://xml.apache.org/xalan" 
   xmlns:escape="xalan://com.example.myservice.MyEscapeTool">

However, in terms of Java, my understanding is that lack of the following setting on your TransformerFactory can be insecure:

factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

So I did that, but understandably this blocks your ability to use "external function calls" with the following runtime error:

FATAL: XPath syntax error at char 12 in {escape:new()}:
    Cannot find a matching 0-argument function named 
{java:com.example.myservice.MyEscapeTool}new(). Note: external 
function calls have been disabled;

Removing the aforementioned FEATURE_SECURE_PROCESSING flag will fix the issue.

How can I include a utility function that can be called in XSLT, without causing a loss in security with the ability to expose ANY arbitrary Java class?

this sound to me more or less like "_You can't have your cake and eat it too_" — gtosto, Dec 12 '17 at 21:11
Xalan has never supported XSLT 2. You might want to consider to move to an XSLT 2 processor like Saxon 9 where you can write user-defined functions in XSLT with `xsl:function` https://www.w3.org/TR/xslt/#stylesheet-functions. Saxon also allows integrated extension functions https://www.saxonica.com/html/documentation/extensibility/integratedfunctions/ instead of reflexive where you control the functions you implement in Java and expose to XSLT. — Martin Honnen, Dec 12 '17 at 22:18

score 1 · Accepted Answer · answered Dec 12 '17 at 22:50

As @MartinHonnen points out in his comment, if you switch to using Saxon, then you can restrict the stylesheet to use only "integrated extension functions" which are registered with the XSLT processor prior to execution, without allowing the stylesheet to call any class/method that happens to be on the classpath.

How to provide a utility on XSLT while maintaining security

1 Answers1