elharo commented on code in PR #196:
URL: https://github.com/apache/xalan-java/pull/196#discussion_r2980914918
##########
stylebook/sources/xalan/index.xml:
##########
@@ -367,4 +367,14 @@ in the Xalan-Java distribution..</p>
<p>For the licences that apply to the JARs other than xalan.jar, see the
licenses and
associated readme files in the root directory of this distribution.</p>
</s2>
+
+<s2 title="Security">
+<p>Xerces and Xalan do what the XML specifications require by default. In some
cases, this may not be appropriate behavior when working with untrusted input:
the <jump href="https://apache.github.io/xalan-c/secureweb.html";>XML Security
Overview</jump> mentions some potential risks. There are multiple methods for
blocking access to external entities and for disallowing DOCTYPE declarations,
and it is up to the downstream user of Xalan to block/reject these constructs
where appropriate.</p>
Review Comment:
Xerces and Xalan do --> Xalan does
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
