enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor

src/changes/changes.xml

@@ -8,6 +8,9 @@
 
  <body>
  <release version="3.9.0" date="December xx, 2023" description="Bugfixes">
+ <action type="fix" dev="rbri">
+ Enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor.
+ </action>
  <action type="fix" dev="René Schwietzke">
  neko: fix wrong error processing for some unicode entities.
  </action>

src/main/java/org/htmlunit/activex/javascript/msxml/XSLProcessor.java

@@ -20,6 +20,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
@@ -180,7 +181,15 @@ private Object transform(final XMLDOMNode source) {
 
  final DOMResult result = new DOMResult(containerElement);
 
- final Transformer transformer = TransformerFactory.newInstance().newTransformer(xsltSource);
+ final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+
+ // By default, the JDK turns on FSP for DOM and SAX parsers and XML schema validators,
+ // which sets a number of processing limits on the processors. Conversely, by default,
+ // the JDK turns off FSP for transformers and XPath, which enables extension functions for XSLT and XPath.
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+ final Transformer transformer = transformerFactory.newTransformer(xsltSource);
+
  for (final Map.Entry<String, Object> entry : parameters_.entrySet()) {
  transformer.setParameter(entry.getKey(), entry.getValue());
  }

src/test/java/org/htmlunit/activex/javascript/msxml/XSLProcessorTest.java

@@ -156,4 +156,56 @@ public void transform() throws Exception {
 
  loadPageVerifyTitle2(createTestHTML(html));
  }
+
+ /**
+ * @throws Exception if the test fails
+ */
+ @Test
+ @Alerts(DEFAULT = "no ActiveX",
+ IE = {"preparation done", "exception"})
+ public void testSecurity() throws Exception {
+ final String html = "<html><head>\n"
+ + "<script>\n"
+ + LOG_TITLE_FUNCTION
+ + " function test() {\n"
+ + ACTIVEX_CHECK
+ + " try {"
+ + " var xmlDoc = " + callLoadXMLDOMDocumentFromURL("'" + URL_SECOND + "1'") + ";\n"
+ + " var xslDoc = new ActiveXObject('Msxml2.FreeThreadedDOMDocument.3.0');\n"
+ + " xslDoc.async = false;\n"
+ + " xslDoc.load('" + URL_SECOND + "2');\n"
+ + " var xslt = new ActiveXObject('Msxml2.XSLTemplate.3.0');\n"
+ + " xslt.stylesheet = xslDoc;\n"
+ + " var xslProc = xslt.createProcessor();\n"
+ + " xslProc.input = xmlDoc;\n"
+ + " log('preparation done');\n"
+ + " xslProc.transform();\n"
+ + " log(newxslProc.output);\n"
+ + " } catch(e) { log('exception'); }\n"
+ + " }\n"
+ + LOAD_XMLDOMDOCUMENT_FROM_URL_FUNCTION
+ + "</script></head>"
+ + "<body onload='test()'>\n"
+ + "</body></html>";
+
+ final String xml
+ = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n"
+ + "<s></s>";
+
+ final String xsl
+ = " <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http:https://www.w3.org/1999/XSL/Transform\" "
+ + "xmlns:rt=\"http:https://xml.apache.org/xalan/java/java.lang.Runtime\" "
+ + "xmlns:ob=\"http:https://xml.apache.org/xalan/java/java.lang.Object\">\r\n"
+ + " <xsl:template match='/'>\n"
+ + " <xsl:variable name='rtobject' select='rt:getRuntime()'/>\n"
+ + " <xsl:variable name=\"rtString\" select=\"ob:toString($rtobject)\"/>\n"
+ + " <xsl:value-of select=\"$rtString\"/>\n"
+ + " </xsl:template>\r\n"
+ + " </xsl:stylesheet>";
+
+ getMockWebConnection().setResponse(new URL(URL_SECOND, "1"), xml, MimeType.TEXT_XML);
+ getMockWebConnection().setResponse(new URL(URL_SECOND, "2"), xsl, MimeType.TEXT_XML);
+
+ loadPageVerifyTitle2(html);
+ }
 }