Problem using latest Xerces 2.12

[Fancellu2]

I'm pulling in latest Xerces via sbt

"xerces" % "xercesImpl" % "2.12.0"

when I go to run, it all works, but I get these errors/warning

com.openhtmltopdf.load INFO:: SAX XMLReader in use (parser): org.apache.xerces.parsers.SAXParser
com.openhtmltopdf.load SEVERE:: Unable to disable XML External Entities, which might put you at risk to XXE attacks

Does it not like xerces? Should I use something else?

Thanks

[danfickle]

Hi @Fancellu2

This warning is always OK if you are only using trusted XHTML input (untrusted input is not recommended anyway).

However, I'm not sure which XML feature is not supported by the latest Xerces, so you could leave this issue open until investigated.

Thanks for reporting.

[Fancellu2]

A stack trace fyi

org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
        at org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown Source)
        at com.openhtmltopdf.resource.XMLResource$XMLResourceBuilder.setXmlReaderSecurityFeatures(XMLResource.java:178)
        at com.openhtmltopdf.resource.XMLResource$XMLResourceBuilder.createXMLResource(XMLResource.java:237)
        at com.openhtmltopdf.resource.XMLResource$XMLResourceBuilder.access$100(XMLResource.java:168)
        at com.openhtmltopdf.resource.XMLResource.load(XMLResource.java:81)

If it doesn't like Xerces, what would it like?

[sosnut]

Look up the JRE built-in equivalents of Xerces that are in com.sun.org.apache.xerces.internal.jaxp
(Should be used by default, see #188 if you need to point to them explicitly).

[Fancellu2]

The JRE defaults are no better as far as I can tell. That's why I added xerces, with the same result

[Fancellu2]

BTW, I made the "error" go away by turning off the logging, i.e.

XRLog.setLoggingEnabled(false)

I did that also because the default logging was commenting on most every line of css, and I really didn't care

[antoniolucasnobar]

I am using 'default' on my code. On unit tests, it uses JDK default and I do not get the error.
When I deploy the app on JBoss EAP 7.1, it uses Xerces (2.11.0 with red-hat modifications). I
manually set the xerces 2.12, and defined the variable xr.load.xml-reader to Xerces version, but got the same warning and errors above.

I tried to define to JDK default: com.sun.org.apache.xerces.internal.parsers.SAXParser, but on JBoss, it just do not find the class (ClassNotFoundException)

I really do not know what to do. I can not just trust, because the HTML come from the users.

Does anyone can provide alternatives to xerces others than JDK version?

thanks in advance,
sorry for my sloppy english.
Lucas

[sosnut]

Unless things have changed recently, I think that Xerces for Java is rather obsolete. The JDK classes should be fine.
You could try to call useDocumentBuilderFactoryImplementationClass() to specify which DocumentBuilderFactoryImpl you want to use. I don't know if it will work in your case or not.

Otherwise you could find a library (for example OWASP Java HTML Sanitizer), to ensure that your HTML is safe.

[antoniolucasnobar]

Dear @sosnut , thank you for your answer. I really did not understood what you meant with call useDocumentBuilderFactoryImplementationClass(). However, I started to look around (in other issues here and on the internet). I saw a similar problem in #54 (dilman stacktraces).

Then I started to think why Jboss does not load this class on the classpath. After searching a while, I found out this: https://developer.jboss.org/thread/202250

So, to use JDK SAXParser under JBoss EAP, I added the property "xr.load.xml-reader" to JBoss: -Dxr.load.xml-reader="com.sun.org.apache.xerces.internal.parsers.SAXParser"

and then add

<path name="com/sun/org/apache/xerces/internal/parsers"/> <path name="com/sun/org/apache/xalan/internal/xsltc/trax"/>
to $JBOSS_HOME/modules/sun/jdk/main/module.xml

I had to add the second line because of the transformer.

I hope it helps anyone who needs to run openhtmltopdf under JBoss or Wildfly.

Cheers.