Setting secure processing in TransformerFactory leads to Problems in XSL

Question

I am generating a PDF document with XML file as input using Apache FOP 2.4. To prevent XXE-Attacks I need to set the secure processing feature (FEATURE_SECURE_PROCESSING) in TransformerFactory:

InputStream xslTransformer = getClass().getClassLoader().getResourceAsStream("foo.xsl");
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer(new StreamSource(xslTransformer));
transformer.transform(new DOMSource(), new SAXResult(fop.getDefaultHandler()));

After setting this feature I can't generate any PDF document and I'm getting warnings:

SystemId Unknown; Line #49; Column #99; "master-name" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "initial-page-number" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-height" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-width" attribute is not allowed on the fo:simple-page-master element!
etc ...

Here is a section of XSL file (foo.xsl):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="2.0"
                xmlns:fo="http://www.w3.org/1999/XSL/Format"
                xmlns:pdf="http://xmlgraphics.apache.org/fop/extensions/pdf">

    <xsl:template match="/">
        <fo:root>
            <fo:layout-master-set>
                <fo:simple-page-master master-name="A4-portrait" initial-page-number="1"
                                       page-height="29.7cm" page-width="21.0cm" margin-top="0cm"
                                       margin-left="1cm" margin-right="1.3cm" margin-bottom="0cm">
                    <fo:region-body margin-top="2.2cm" margin-bottom="1.2cm" margin-left="1.3cm"/>
                    <fo:region-before region-name="xsl-region-before" extent="2.2cm"/>
                    <fo:region-after region-name="xsl-region-after" extent="1.2cm"/>
                    <fo:region-start region-name="xsl-region-start" extent="1.3cm"/>
                </fo:simple-page-master>
            </fo:layout-master-set>

            <fo:page-sequence master-reference="A4-portrait" font-family="Consolas" font-size="11">
                <fo:flow flow-name="xsl-region-body">
                    <fo:block linefeed-treatment="preserve" font-weight="bold">
                        foo
                    </fo:block>

                    <fo:block linefeed-treatment="preserve">
                        bar
                    </fo:block>

                </fo:flow>
            </fo:page-sequence>

        </fo:root>
    </xsl:template>

</xsl:stylesheet>

How should I use this feature and make it work? Java version is 8.

Answer 1

This is due to xalan-2.7.2.

Here is the bug in Xalan-J

Switching to xalan-2.7.1 or earlier will solve your problem.

You may have to force exclusions for xalan on an Apache-FO dependency.

You can also overwrite with 2.7.2_3, which patches this problem.

<dependency>
    <groupId>org.apache.servicemix.bundles</groupId>
    <artifactId>org.apache.servicemix.bundles.xalan</artifactId>
    <version>2.7.2_3</version><!--$NO-MVN-MAN-VER$-->
</dependency>

Use of <!--$NO-MVN-MAN-VER$--> prevents overrides.

Note: this bugfix was not migrated to xalan-2.7.3 for unspecified reasons and at this time there is no servicemix for 2.7.3 with the bugfix.