java - 在安全模式下使用 Xalan 执行 XSLT 以创建 XHTML 在创建属性时抛出 TransformerConfigurationException

Question

我正在尝试在安全模式下使用 Xalan (2.7.2) 的更新版本，但遇到无法理解未知属性的问题。问题是，它会阻止您使用任何发出 XHTML 的样式表(在安全处理模式下)，因为它不允许诸如“th”元素的“colspan”属性之类的东西。

关联的更改文件在这里:http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h

请看下面的例子:

import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;

public class XalanSecureAttributeRepro {
    private static final String XSL =
            "<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
            "  <xsl:output method=\"html\"/>\n" +
            "  <xsl:template match=\"/*\">\n" +
            "    <th colspan=\"2\"/>\n" +
            "  </xsl:template>\n" +
            "</xsl:stylesheet>";

    public static void main( String[] args ) throws Exception {
        System.setProperty( "javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl" );

        TransformerFactory tf = TransformerFactory.newInstance();
        tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
        tf.setErrorListener( new DefaultErrorHandler( true ) );

        final Source source = new StreamSource( new StringReader( XSL ) );
        Templates templates = tf.newTemplates( source ); // throws:
                        // TransformerException: "colspan" attribute is not allowed on the th element!
    }
}

它返回这个错误:

Exception in thread "main" javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
    at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
    ... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
    at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
    at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
    at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
    at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
    at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
    at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
    at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
    at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
    at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
    at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
    ... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
    at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
    ... 22 more

我是不是在样式表上做错了什么，还是我错过了在变压器工厂上设置的功能。您将如何使用 Xalan 转换在安全处理模式下发出 (X)HTML 的样式表？

Answer 1

所引用的 Xalan 源版本中有问题的行是:

if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())

我不是 100% 确定 attrDef 中的内容，但我猜这是你的属性，它永远不会有 * 的值(但来自文档在 XSLTAttributeDef 上，值 * 是允许的，但我不知道如何，因为它不是 qname)。

documentation on secure processing只限制单个元素上的属性数量，但限制很高，10,000。

在我看来，您遇到了 Xalan 2.7.1 的错误。它会阻止您使用任何属性。如果因为只能使用已知的属性而施加限制，它似乎仍然是一个错误，因为 th 允许将 colspan 作为 HTML 和 XHTML 中的属性.不过，如果您将输出从 HTML 更改为 XML 时看到相同的行为，您可以尝试一下。