I have a program which uses the latest version of docx4j-ImportXHTML 8.2.0.
Which now uses openhtmltopdf.
Whenever I am trying to run a program which generates a word document from a mix of html and pure docx4j code, i get this error message:
com.openhtmltopdf.load SEVERE:: Unable to disable XML External Entities, which might put you at risk to XXE attacks
I've been googling for a bit and couldn't find any solution, but i managed to track the origin of the issue in this class:
and the implementation of TransformerFactory is provided by another library of docx4j: xalan-interpretive:8.0.0
more specifically the class that fails is the following:
org.docx4j.org.apache.xalan.processor.TransformerFactoryImpl
I am not an expert in XML nor in security, and I might be totally wrong about this but it seems like this implementation doesn't support some security attributes that are expected by openhtmltopdf.
It is marked as "SEVERE" by openhtmltopdf so I am guessing it can be a serious security leak, and I have users inserting html into my programm, so I would like to understand and to ask if it is possible to fix this issue.
I have a program which uses the latest version of docx4j-ImportXHTML 8.2.0. Which now uses openhtmltopdf. Whenever I am trying to run a program which generates a word document from a mix of html and pure docx4j code, i get this error message: com.openhtmltopdf.load SEVERE:: Unable to disable XML External Entities, which might put you at risk to XXE attacks
I've been googling for a bit and couldn't find any solution, but i managed to track the origin of the issue in this class:
com.openhtmltopdf.resource.XMLResource
when the system calls the following method:
and the implementation of TransformerFactory is provided by another library of docx4j: xalan-interpretive:8.0.0
more specifically the class that fails is the following:
org.docx4j.org.apache.xalan.processor.TransformerFactoryImpl
I am not an expert in XML nor in security, and I might be totally wrong about this but it seems like this implementation doesn't support some security attributes that are expected by openhtmltopdf.
It is marked as "SEVERE" by openhtmltopdf so I am guessing it can be a serious security leak, and I have users inserting html into my programm, so I would like to understand and to ask if it is possible to fix this issue.
Thank you!