Summary
Change the default setting to disallow Extension Functions.
Problem
XSLT and XPath Extension Functions can be useful in scenarios where you need to integrate custom logic into the transformation process, that extends the capabilities of XSLT by leveraging Java APIs. However, extension functions come with significant drawbacks. They make transformations more complex, blending concerns between transformation and application logic. They are hard to maintain and debug, and reduce portability. More importantly, allowing XSLT stylesheets to execute Java code can be a security concern. It is therefore better to avoid extension functions, keeping transformations purely XSLT-based and handling complex logic separately within the application.
As indicated in JEP 486, Extension Functions are disabled when running with the Security Manager. The removal of the Security Manager is another reason that this feature should be disabled by default.
Solution
Disable XSLT and XPath Extension Functions by default, specifically by setting FEATURE_SECURE_PROCESSING (FSP) to true in the Transform API by default.
This change aligns the Transform API with other JAXP APIs such as DOM, SAX and Validation in having FSP on by default. Its impact is limited to the Extension Functions because other properties as listed in the implementation specific properties table have already set the FSP-enabled values to the same as the default values of each property.
This change also does not change the External Access Properties because they require FSP to be explicitly set via the JAXP APIs.
This solution does not include the XPath API. The XSLT and XPath Extension Functions in this CSR refer to the XSLT Extension Functions and functions within XPath expressions in XSLT, but not the ones used in the XPath API. The XPath API uses an user-defined XPathFunctionResolver to resolve any functions specified in the XPath expression. It therefore does not suffer the drawbacks as in the Transform API.
Compatibility and solution
If an application handles XML transformation with a stylesheet that uses Extension Functions, it may encounter processing error such as the follows:
Use of the extension function '[function name]' is not allowed when extension functions are disabled
by the secure processing feature or the property 'jdk.xml.enableExtensionFunctions'. To enable extension
functions, set 'jdk.xml.enableExtensionFunctions' to 'true'.For applications that require extension functions, the solution is to set the property jdk.xml.enableExtensionFunctions to true. This can be done via the Transform API, e.g.
transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature("jdk.xml.enableExtensionFunctions", true);Or in the JAXP Configuration File. A template for creating Strict JAXP Configuration File, jaxp-strict.properties.template, was provided in JDK 23 for developers to assess and prepare for this type of changes. To set the property, copy the template and create a custom configuration file:
cp $JAVA_HOME/conf/jaxp-strict.properties.template. /<my_path>/jaxp-strict.propertiesEdit and change the setting as follows:
jdk.xml.enableExtensionFunctions=trueFurthermore, as a system property, the property can also be set on the commandline, e.g.:
java -Djdk.xml.enableExtensionFunctions=true myApp` Specification
Update the java.xml module description, table Implementation Specific Properties:
Name Value (default)
- jdk.xml.enableExtensionFunctions true
+ jdk.xml.enableExtensionFunctions false
- csr of
-
JDK-8343001 Adjust XSLT and XPath Extension Function Property
-
- Open
-