Hi Elliotte, On 24.04.2026 13:06, Elliotte Rusty Harold wrote: > On Fri, Apr 24, 2026 at 2:35 AM Piotr P. Karwasz > <[email protected]> wrote: > >> Second, the correct recipe depends on which JAXP implementation is >> actually on the classpath, and that's often not what the developer >> thinks. A library author tests against the JDK, observes that >> FEATURE_SECURE_PROCESSING transitively restricts ACCESS_EXTERNAL_* >> (JEP 185), and writes a minimal hardening block. The library is then >> deployed in an application that pulls in external Xerces transitively: >> JEP 185 no longer applies, ACCESS_EXTERNAL_* is not honored, and the >> minimal block is no longer sufficient. >> > > This might be an issue to address in Xerces. Please file a detailed > description in the JIRA.
This is an issue that is already present in JIRA: https://issues.apache.org/jira/browse/XERCESJ-1654 Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
