From e015082aa909fd9e1c2b5f9b26553ddc0ddbbcab Mon Sep 17 00:00:00 2001
From: Ronald Brill <rbri@rbri.de>
Date: Tue, 28 Nov 2023 14:14:37 +0100
Subject: [PATCH] enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor

---
 src/changes/changes.xml                       |  3 ++
 .../javascript/msxml/XSLProcessor.java        | 11 +++-
 .../javascript/msxml/XSLProcessorTest.java    | 52 +++++++++++++++++++
 3 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 3c2476417e2..bc3487ba21f 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -8,6 +8,9 @@
 
     <body>
         <release version="3.9.0" date="December xx, 2023" description="Bugfixes">
+            <action type="fix" dev="rbri">
+                Enable FEATURE_SECURE_PROCESSING for the MSXML XSLProcessor.
+            </action>
             <action type="fix" dev="René Schwietzke">
                 neko: fix wrong error processing for some unicode entities.
             </action>
diff --git a/src/main/java/org/htmlunit/activex/javascript/msxml/XSLProcessor.java b/src/main/java/org/htmlunit/activex/javascript/msxml/XSLProcessor.java
index 7ce84e06e06..aa3c6b6c3ea 100644
--- a/src/main/java/org/htmlunit/activex/javascript/msxml/XSLProcessor.java
+++ b/src/main/java/org/htmlunit/activex/javascript/msxml/XSLProcessor.java
@@ -20,6 +20,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
@@ -180,7 +181,15 @@ private Object transform(final XMLDOMNode source) {
 
             final DOMResult result = new DOMResult(containerElement);
 
-            final Transformer transformer = TransformerFactory.newInstance().newTransformer(xsltSource);
+            final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+
+            // By default, the JDK turns on FSP for DOM and SAX parsers and XML schema validators,
+            // which sets a number of processing limits on the processors. Conversely, by default,
+            // the JDK turns off FSP for transformers and XPath, which enables extension functions for XSLT and XPath.
+            transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+            final Transformer transformer = transformerFactory.newTransformer(xsltSource);
+
             for (final Map.Entry<String, Object> entry : parameters_.entrySet()) {
                 transformer.setParameter(entry.getKey(), entry.getValue());
             }
diff --git a/src/test/java/org/htmlunit/activex/javascript/msxml/XSLProcessorTest.java b/src/test/java/org/htmlunit/activex/javascript/msxml/XSLProcessorTest.java
index a1a894c6484..767484d7e4d 100644
--- a/src/test/java/org/htmlunit/activex/javascript/msxml/XSLProcessorTest.java
+++ b/src/test/java/org/htmlunit/activex/javascript/msxml/XSLProcessorTest.java
@@ -156,4 +156,56 @@ public void transform() throws Exception {
 
         loadPageVerifyTitle2(createTestHTML(html));
     }
+
+    /**
+     * @throws Exception if the test fails
+     */
+    @Test
+    @Alerts(DEFAULT = "no ActiveX",
+            IE = {"preparation done", "exception"})
+    public void testSecurity() throws Exception {
+        final String html = "<html><head>\n"
+            + "<script>\n"
+            + LOG_TITLE_FUNCTION
+            + "  function test() {\n"
+            + ACTIVEX_CHECK
+            + "    try {"
+            + "      var xmlDoc = " + callLoadXMLDOMDocumentFromURL("'" + URL_SECOND + "1'") + ";\n"
+            + "      var xslDoc = new ActiveXObject('Msxml2.FreeThreadedDOMDocument.3.0');\n"
+            + "      xslDoc.async = false;\n"
+            + "      xslDoc.load('" + URL_SECOND + "2');\n"
+            + "      var xslt = new ActiveXObject('Msxml2.XSLTemplate.3.0');\n"
+            + "      xslt.stylesheet = xslDoc;\n"
+            + "      var xslProc = xslt.createProcessor();\n"
+            + "      xslProc.input = xmlDoc;\n"
+            + "      log('preparation done');\n"
+            + "      xslProc.transform();\n"
+            + "      log(newxslProc.output);\n"
+            + "    } catch(e) { log('exception'); }\n"
+            + "  }\n"
+            + LOAD_XMLDOMDOCUMENT_FROM_URL_FUNCTION
+            + "</script></head>"
+            + "<body onload='test()'>\n"
+            + "</body></html>";
+
+        final String xml
+            = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n"
+            + "<s></s>";
+
+        final String xsl
+            = " <xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
+                    + "xmlns:rt=\"http://xml.apache.org/xalan/java/java.lang.Runtime\" "
+                    + "xmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\">\r\n"
+            + "    <xsl:template match='/'>\n"
+            + "      <xsl:variable name='rtobject' select='rt:getRuntime()'/>\n"
+            + "      <xsl:variable name=\"rtString\" select=\"ob:toString($rtobject)\"/>\n"
+            + "      <xsl:value-of select=\"$rtString\"/>\n"
+            + "    </xsl:template>\r\n"
+            + "  </xsl:stylesheet>";
+
+        getMockWebConnection().setResponse(new URL(URL_SECOND, "1"), xml, MimeType.TEXT_XML);
+        getMockWebConnection().setResponse(new URL(URL_SECOND, "2"), xsl, MimeType.TEXT_XML);
+
+        loadPageVerifyTitle2(html);
+    }
 }