Unable to disable XML External Entities, which might put you at risk to XXE attacks

[TomMante]

I have a program which uses the latest version of docx4j-ImportXHTML 8.2.0. Which now uses openhtmltopdf. Whenever I am trying to run a program which generates a word document from a mix of html and pure docx4j code, i get this error message: com.openhtmltopdf.load SEVERE:: Unable to disable XML External Entities, which might put you at risk to XXE attacks

I've been googling for a bit and couldn't find any solution, but i managed to track the origin of the issue in this class:

com.openhtmltopdf.resource.XMLResource

when the system calls the following method:

        private void setTranformerFactorySecurityFeatures(TransformerFactory xformFactory) {
            try {
                xformFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
                xformFactory.setAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
            } catch (IllegalArgumentException var3) {
                XRLog.log(Level.SEVERE, LogMessageId0Param.LOAD_UNABLE_TO_DISABLE_XML_EXTERNAL_ENTITIES, var3);
            }

        }

and the implementation of TransformerFactory is provided by another library of docx4j: xalan-interpretive:8.0.0

more specifically the class that fails is the following: org.docx4j.org.apache.xalan.processor.TransformerFactoryImpl

I am not an expert in XML nor in security, and I might be totally wrong about this but it seems like this implementation doesn't support some security attributes that are expected by openhtmltopdf.

It is marked as "SEVERE" by openhtmltopdf so I am guessing it can be a serious security leak, and I have users inserting html into my programm, so I would like to understand and to ask if it is possible to fix this issue.

Thank you!

[mihaialexandruteodor]

having the same issue...