-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem using latest Xerces 2.12 #256
Comments
Hi @Fancellu2 This warning is always OK if you are only using trusted XHTML input (untrusted input is not recommended anyway). However, I'm not sure which XML feature is not supported by the latest Xerces, so you could leave this issue open until investigated. Thanks for reporting. |
A stack trace fyi
If it doesn't like Xerces, what would it like? |
Look up the JRE built-in equivalents of Xerces that are in com.sun.org.apache.xerces.internal.jaxp |
The JRE defaults are no better as far as I can tell. That's why I added xerces, with the same result |
BTW, I made the "error" go away by turning off the logging, i.e.
I did that also because the default logging was commenting on most every line of css, and I really didn't care |
I am using 'default' on my code. On unit tests, it uses JDK default and I do not get the error. I tried to define to JDK default: com.sun.org.apache.xerces.internal.parsers.SAXParser, but on JBoss, it just do not find the class (ClassNotFoundException) I really do not know what to do. I can not just trust, because the HTML come from the users. Does anyone can provide alternatives to xerces others than JDK version? thanks in advance, |
Unless things have changed recently, I think that Xerces for Java is rather obsolete. The JDK classes should be fine. Otherwise you could find a library (for example OWASP Java HTML Sanitizer), to ensure that your HTML is safe. |
Dear @sosnut , thank you for your answer. I really did not understood what you meant with call useDocumentBuilderFactoryImplementationClass(). However, I started to look around (in other issues here and on the internet). I saw a similar problem in #54 (dilman stacktraces). Then I started to think why Jboss does not load this class on the classpath. After searching a while, I found out this: https://developer.jboss.org/thread/202250 So, to use JDK SAXParser under JBoss EAP, I added the property "xr.load.xml-reader" to JBoss: -Dxr.load.xml-reader="com.sun.org.apache.xerces.internal.parsers.SAXParser" and then add
I had to add the second line because of the transformer. I hope it helps anyone who needs to run openhtmltopdf under JBoss or Wildfly. Cheers. |
I'm pulling in latest Xerces via sbt
"xerces" % "xercesImpl" % "2.12.0"
when I go to run, it all works, but I get these errors/warning
com.openhtmltopdf.load INFO:: SAX XMLReader in use (parser): org.apache.xerces.parsers.SAXParser
com.openhtmltopdf.load SEVERE:: Unable to disable XML External Entities, which might put you at risk to XXE attacks
Does it not like xerces? Should I use something else?
Thanks
The text was updated successfully, but these errors were encountered: