A bug appears to have been introduced into the xml extension between versions 2.0.13 and 2.0.14 and between 2.1-RC4 and 2.1-RC5 in that the TransformRepresentation will now fail to transform a SaxRepresentation but will successfully transform other types.
I suspect that this may have been introduced as a feature or side effect of the Commit "Fixed security bug in the XML extension that allows XML external entity attacks. Reported by Fabio Mancinelli." but I am uncertain, if this is a bug or a changed input requirement for Sax based input.
The issue can be replicated using the following test case against versions 2.0.14 and 2.1-RC5.
Graham Smith
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import javax.xml.transform.Source;
import javax.xml.transform.TransformerException;
import javax.xml.transform.URIResolver;
import org.junit.Test;
import org.restlet.data.CharacterSet;
import org.restlet.data.MediaType;
import org.restlet.engine.io.BufferingRepresentation;
import org.restlet.ext.xml.SaxRepresentation;
import org.restlet.ext.xml.TransformRepresentation;
import org.restlet.representation.Representation;
import org.restlet.representation.StringRepresentation;
import static org.junit.Assert.*;
/**
*
* @author agsmith
*/
public class XsltTransformationTest {
private static final String INPUT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><foo><bar>value</bar></foo>";
private static final String XSLT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"><xsl:output method=\"xml\" indent=\"no\"/><xsl:template match=\"/\"><bar><foo><xsl:value-of select=\"foo/bar\"/></foo></bar></xsl:template></xsl:stylesheet>";
private static final String EXPECTED_OUTPUT = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><bar><foo>value</foo></bar>";
/**
*/
@Test
public void runSaxRepresentation() throws Exception {
final OutputStream out = new ByteArrayOutputStream();
final Representation source = new SaxRepresentation (
new StringRepresentation(INPUT,
MediaType.APPLICATION_XML, null, CharacterSet.UTF_8));
final Representation xslt = new StringRepresentation(XSLT, MediaType.APPLICATION_W3C_XSLT);
final URIResolver resolver = new URIResolver(){
@Override
public Source resolve(String href, String base) throws TransformerException {
throw new UnsupportedOperationException("This should not be needed in this test.");
}
};
new TransformRepresentation(resolver, source, xslt).write(out);
assertEquals("The Transformed Xml is not as ", EXPECTED_OUTPUT, out.toString());
}
@Test
public void runBufferingRepresentation() throws Exception {
final OutputStream out = new ByteArrayOutputStream();
final Representation source = new BufferingRepresentation(
new StringRepresentation(INPUT,
MediaType.APPLICATION_XML, null, CharacterSet.UTF_8));
final Representation xslt = new StringRepresentation(XSLT, MediaType.APPLICATION_W3C_XSLT);
final URIResolver resolver = new URIResolver(){
@Override
public Source resolve(String href, String base) throws TransformerException {
throw new UnsupportedOperationException("This should not be needed in this test.");
}
};
new TransformRepresentation(resolver, source, xslt).write(out);
assertEquals("The Transformed Xml is not as ", EXPECTED_OUTPUT, out.toString());
}
@Test
public void runStringRepresentation() throws Exception {
final OutputStream out = new ByteArrayOutputStream();
final Representation source =
new StringRepresentation(INPUT,
MediaType.APPLICATION_XML, null, CharacterSet.UTF_8);
final Representation xslt = new StringRepresentation(XSLT, MediaType.APPLICATION_W3C_XSLT);
final URIResolver resolver = new URIResolver(){
@Override
public Source resolve(String href, String base) throws TransformerException {
throw new UnsupportedOperationException("This should not be needed in this test.");
}
};
new TransformRepresentation(resolver, source, xslt).write(out);
assertEquals("The Transformed Xml is not as ", EXPECTED_OUTPUT, out.toString());
}
}
A bug appears to have been introduced into the xml extension between versions 2.0.13 and 2.0.14 and between 2.1-RC4 and 2.1-RC5 in that the TransformRepresentation will now fail to transform a SaxRepresentation but will successfully transform other types.
I suspect that this may have been introduced as a feature or side effect of the Commit "Fixed security bug in the XML extension that allows XML external entity attacks. Reported by Fabio Mancinelli." but I am uncertain, if this is a bug or a changed input requirement for Sax based input.
The issue can be replicated using the following test case against versions 2.0.14 and 2.1-RC5.
Graham Smith