Full Interface Mechanism for XSLT with Saxon
XXE Prevention Attributes
getTransformerFactory is a common secure API made available by PTC that provides an instance of TransformerFactory. This instance can be used in XSLT transformation. This instance is provided by Saxon if the Saxon is in the classpath, otherwise JDK implementation is used. Since this API is a secure one, external DTDs and stylesheets are not allowed to be included in the parent XSLT file. To prevent the risk of XXE attack, Saxon has introduces following attributes. PTC has introduced the support for these attributes. These attributes restricts access to external DTDs and stylesheets.
final TransformerFactory transformerFactory = (new JAXPFactories()).getTransformerFactory();
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
With the above mentioned configuration, external reference to DTD or stylessheets will not work. To avoid error due to attribute configuration mentioned above, Saxon requires file resolver. PTC has introduced WTURIResolver. Whenever you are using getTransformationFactory API, set the WTURIResolver for the given parent xsl file as is seen in the example code below. With this configuration, the inclusion files located in WT_HOME are referenced. The files to be included must be located at WT_HOME location.
tFactoryImpl.setURIResolver(new WTURIResolver(filterFile));