问题描述
我正在使用 Apache FOP 2.4 生成一个带有 XML 文件作为输入的 PDF 文档.为了防止 XXE 攻击,我需要在 TransformerFactory 中设置安全处理功能 (FEATURE_SECURE_PROCESSING):
I am generating a PDF document with XML file as input using Apache FOP 2.4.To prevent XXE-Attacks I need to set the secure processing feature (FEATURE_SECURE_PROCESSING) in TransformerFactory:
InputStream xslTransformer = getClass().getClassLoader().getResourceAsStream("foo.xsl");
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer(new StreamSource(xslTransformer));
transformer.transform(new DOMSource(), new SAXResult(fop.getDefaultHandler()));
设置此功能后,我无法生成任何 PDF 文档并且收到警告:
After setting this feature I can't generate any PDF document and I'm getting warnings:
SystemId Unknown; Line #49; Column #99; "master-name" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "initial-page-number" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-height" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-width" attribute is not allowed on the fo:simple-page-master element!
etc ...
这是 XSL 文件 (foo.xsl) 的一部分:
Here is a section of XSL file (foo.xsl):
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="2.0"
xmlns:fo="http://www.w3.org/1999/XSL/Format"
xmlns:pdf="http://xmlgraphics.apache.org/fop/extensions/pdf">
<xsl:template match="/">
<fo:root>
<fo:layout-master-set>
<fo:simple-page-master master-name="A4-portrait" initial-page-number="1"
page-height="29.7cm" page-width="21.0cm" margin-top="0cm"
margin-left="1cm" margin-right="1.3cm" margin-bottom="0cm">
<fo:region-body margin-top="2.2cm" margin-bottom="1.2cm" margin-left="1.3cm"/>
<fo:region-before region-name="xsl-region-before" extent="2.2cm"/>
<fo:region-after region-name="xsl-region-after" extent="1.2cm"/>
<fo:region-start region-name="xsl-region-start" extent="1.3cm"/>
</fo:simple-page-master>
</fo:layout-master-set>
<fo:page-sequence master-reference="A4-portrait" font-family="Consolas" font-size="11">
<fo:flow flow-name="xsl-region-body">
<fo:block linefeed-treatment="preserve" font-weight="bold">
foo
</fo:block>
<fo:block linefeed-treatment="preserve">
bar
</fo:block>
</fo:flow>
</fo:page-sequence>
</fo:root>
</xsl:template>
</xsl:stylesheet>
我应该如何使用此功能并使其发挥作用?Java 版本是 8.
How should I use this feature and make it work? Java version is 8.
推荐答案
这是由于 xalan-2.7.2.
This is due to xalan-2.7.2.
切换到 xalan-2.7.1 或更早版本将解决您的问题.
Switching to xalan-2.7.1 or earlier will solve your problem.
您可能必须在 Apache-FO 依赖项上强制排除 xalan.
You may have to force exclusions for xalan on an Apache-FO dependency.
你也可以用 2.7.2_3 覆盖,它修补了这个问题.
You can also overwrite with 2.7.2_3, which patches this problem.
<dependency>
<groupId>org.apache.servicemix.bundles</groupId>
<artifactId>org.apache.servicemix.bundles.xalan</artifactId>
<version>2.7.2_3</version><!--$NO-MVN-MAN-VER$-->
</dependency>
使用 可防止覆盖.
这篇关于在 TransformerFactory 中设置安全处理会导致 XSL 中的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!