中设置安全处理会导致

中设置安全处理会导致

本文介绍了在 TransformerFactory 中设置安全处理会导致 XSL 中的问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用 Apache FOP 2.4 生成一个带有 XML 文件作为输入的 PDF 文档.为了防止 XXE 攻击,我需要在 TransformerFactory 中设置安全处理功能 (FEATURE_SECURE_PROCESSING):

I am generating a PDF document with XML file as input using Apache FOP 2.4.To prevent XXE-Attacks I need to set the secure processing feature (FEATURE_SECURE_PROCESSING) in TransformerFactory:

InputStream xslTransformer = getClass().getClassLoader().getResourceAsStream("foo.xsl");
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(FEATURE_SECURE_PROCESSING, true);
Transformer transformer = transformerFactory.newTransformer(new StreamSource(xslTransformer));
transformer.transform(new DOMSource(), new SAXResult(fop.getDefaultHandler()));

设置此功能后,我无法生成任何 PDF 文档并且收到警告:

After setting this feature I can't generate any PDF document and I'm getting warnings:

SystemId Unknown; Line #49; Column #99; "master-name" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "initial-page-number" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-height" attribute is not allowed on the fo:simple-page-master element!
SystemId Unknown; Line #49; Column #99; "page-width" attribute is not allowed on the fo:simple-page-master element!
etc ...

这是 XSL 文件 (foo.xsl) 的一部分:

Here is a section of XSL file (foo.xsl):

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="2.0"
                xmlns:fo="http://www.w3.org/1999/XSL/Format"
                xmlns:pdf="http://xmlgraphics.apache.org/fop/extensions/pdf">

    <xsl:template match="/">
        <fo:root>
            <fo:layout-master-set>
                <fo:simple-page-master master-name="A4-portrait" initial-page-number="1"
                                       page-height="29.7cm" page-width="21.0cm" margin-top="0cm"
                                       margin-left="1cm" margin-right="1.3cm" margin-bottom="0cm">
                    <fo:region-body margin-top="2.2cm" margin-bottom="1.2cm" margin-left="1.3cm"/>
                    <fo:region-before region-name="xsl-region-before" extent="2.2cm"/>
                    <fo:region-after region-name="xsl-region-after" extent="1.2cm"/>
                    <fo:region-start region-name="xsl-region-start" extent="1.3cm"/>
                </fo:simple-page-master>
            </fo:layout-master-set>

            <fo:page-sequence master-reference="A4-portrait" font-family="Consolas" font-size="11">
                <fo:flow flow-name="xsl-region-body">
                    <fo:block linefeed-treatment="preserve" font-weight="bold">
                        foo
                    </fo:block>

                    <fo:block linefeed-treatment="preserve">
                        bar
                    </fo:block>

                </fo:flow>
            </fo:page-sequence>

        </fo:root>
    </xsl:template>

</xsl:stylesheet>

我应该如何使用此功能并使其发挥作用?Java 版本是 8.

How should I use this feature and make it work? Java version is 8.

推荐答案

这是由于 xalan-2.7.2.

This is due to xalan-2.7.2.

这是 Xalan-J 中的错误

切换到 xalan-2.7.1 或更早版本将解决您的问题.

Switching to xalan-2.7.1 or earlier will solve your problem.

您可能必须在 Apache-FO 依赖项上强制排除 xalan.

You may have to force exclusions for xalan on an Apache-FO dependency.

你也可以用 2.7.2_3 覆盖,它修补了这个问题.

You can also overwrite with 2.7.2_3, which patches this problem.

<dependency>
    <groupId>org.apache.servicemix.bundles</groupId>
    <artifactId>org.apache.servicemix.bundles.xalan</artifactId>
    <version>2.7.2_3</version><!--$NO-MVN-MAN-VER$-->
</dependency>

使用 可防止覆盖.

这篇关于在 TransformerFactory 中设置安全处理会导致 XSL 中的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-23 09:41