ASF: Xalan-C++ Samples

Return-Path: X-Original-To: apmail-xml-xalan-cvs-archive@www.apache.org Delivered-To: apmail-xml-xalan-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D57D19F0B for ; Sat, 16 Jun 2012 03:59:01 +0000 (UTC) Received: (qmail 54190 invoked by uid 500); 16 Jun 2012 03:59:01 -0000 Delivered-To: apmail-xml-xalan-cvs-archive@xml.apache.org Received: (qmail 54138 invoked by uid 500); 16 Jun 2012 03:59:01 -0000 Mailing-List: contact xalan-cvs-help@xml.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: List-Id: Delivered-To: mailing list xalan-cvs@xml.apache.org Received: (qmail 54109 invoked by uid 99); 16 Jun 2012 03:59:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Jun 2012 03:59:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Jun 2012 03:58:29 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id EB2902388C1F for ; Sat, 16 Jun 2012 03:57:42 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r1350856 [7/11] - in /xalan/site: ./ docs/ docs/xalan/ docs/xalan/resources/ docs/xalan/xalan-c/ docs/xalan/xalan-c/resources/ docs/xalan/xalan-j/ stylebook/ stylebook/Xalan-Logos/ stylebook/css/ stylebook/style/ stylebook/style/dtd/ xdocs/... Date: Sat, 16 Jun 2012 03:57:39 -0000 To: xalan-cvs@xml.apache.org From: shathaway@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120616035742.EB2902388C1F@eris.apache.org> Added: xalan/site/docs/xalan/xalan-c/samples.html URL: http://svn.apache.org/viewvc/xalan/site/docs/xalan/xalan-c/samples.html?rev=1350856&view=auto ============================================================================== --- xalan/site/docs/xalan/xalan-c/samples.html (added) +++ xalan/site/docs/xalan/xalan-c/samples.html Sat Jun 16 03:57:36 2012 @@ -0,0 +1,885 @@ + + + + +ASF: Xalan-C++ Samples + + + + + + +

+ + + + + + + + + + +

+ + + +	+Xalan-C/C++ Version 1.11 +
+ + + +	Xalan-C++ Samples

+ + + + + + + + + + +

+Apache Foundation +

+Xalan Project +

+Xerces Project +

+Web Consortium +

+

+

+

+Resources +
+
+Home +

+Overview +
+Charter +

Sample Apps
+
+Command Line +
+Usage Patterns +

+Xalan-C FAQs +

+Bugs +
+Testing +
+Web Security +

+

+

+

Xalan-C++ Samples

+

+Samples to help you get started +
+Rebuilding a Sample application +
+ApacheModuleXSLT +
+CompileStylesheet +
+DocumentBuilder +
+ExternalFunctions +
+ParsedSourceWrappers +
+SerializeNodeSet +
+SimpleTransform +
+SimpleXPathAPI +
+SimpleXPathCAPI +
+StreamTransform +
+ThreadSafe +
+TraceListen +
+TransformToXercesDOM +
+UseMemoryManager +
+UseStylesheetParam +
+XalanTransform +
+XalanTransformerCallback +

+ +‌ +

+

Samples to help you get started

+

Each of the subdirectories in the Xalan-C++ samples directory contains the source files for a + sample application. The executables for the samples are in the build subdirectory, which should be on the system + path.

+

With most of the samples, you can use the following procedure:

+

Go to the samples subdirectory containing the sample (use the DOS shell if you are running Windows)
+
+
Run the sample from the command line (as indicated below)
+
+
Examine the application source files. You may also want to modify the source files. Remember that if you + modify a .cpp file, you must rebuild the executable and place it on the path before you can run the + modified application.

+ + + + + +

+

note

+

Each sample application looks for input files in the current directory, the directory from + which you run the application. The input files are in the samples subdirectory along with the sample source + files. For the UNIX builds, application executables are in the bin subdirectory. For the Windows32 build, the + application executable is in the bin subdirectory (Xalan-C_1_11_0-<my_Windows_distribution>\bin). To run a + sample, be sure the executable is on the path, and run it from the samples subdirectory that contains the input + files.

+ + + + + +

+ +	The most of the samples are implemented without providing a pluggable memory manager. The SimpleTransform sample illustrates, + in addition to a simple transformation, the usage of the processor with memory manager

+ + + +‌ +

+

Rebuilding a Sample application

+

Instructions for rebuilding the samples differ depending on whether you are using the binary package or the source +package.

+

For Windows users, the Xalan Visual C++ workspace contains project configurations for building + each of the samples. Users who have downloaded the source package, can find the XalanICU.dsw workspace + file under:
+
     Xalan-C_1_11_0-src\src\xalanc\Projects\Win32\VC6 +
+
and XalanICU.sln solution file under:
+
+      Xalan-C_1_11_0-src\src\xalanc\Projects\Win32\VC7.1 + +
+
Users who have downloaded the binary package, should use the Samples.dsw workspace file + located under:
+
      + Xalan-C_1_11_0-<my_Win32_distribution>\Samples\Projects\Win32\VC6 +
+
+ or the Samples.sln solution file for .NET V7.1 users, located under:
+
      + Xalan-C_1_11_0-<my_Win32_distribution>\Samples\Projects\Win32\VC7.1 +
+
+

+

The Makefile that comes with the UNIX distributions include targets for rebuilding one or all of + the sample applications. To rebuild one or more sample applications from the UNIX source package, + go to the Xalan-C_1_11_0-src directory and run
+
+ gmake +Target + + +
+
+ where +Target + is Samples (all the samples), ApacheModuleXSLT, + CompileStylesheet, DocumentBuilder, ExternalFunctions, + ParsedSourceWrappers, SerializedNodeSet, SimpleTransform, + SimpleXPathAPI, SimpleXPathCAPI, StreamTransform, + ThreadSafe, TraceListen, TransformToXercesDOM, + UseStylesheetParam, XalanTransform, or + XalanTransformerCallback.

+

To rebuild the samples from the UNIX binary package, go to the ../samples directory of your installation, + run the runConfigure utility for your target platform, and then run gmake. For example, AIX users would + issue the following command:
+
+      ./runConfigure -p aix -c xlc_r -x xlC_r +
+      cd samples +
+
+      gmake +Target + + +
+
+ where +Target + can be Samples (for building all samples), or the individual sample name as + listed above.

+ + + + + +

+ +	For information on building Apache Module, see ApacheModuleXSLT +

+ + +‌ +

+

ApacheModuleXSLT

+ + + + + +

+

note

+

This sample must be built with the Apache Web server, and the Xalan-C++ distribution files do not include a binary + for ApacheModuleXSLT. Assuming you have installed the Apache server on your platform, you can use Visual C++ on Windows to + build ApacheModuleXSLT.dll, or the Makefile on UNIX to build xslt_module (with the appropriate library suffix).

+ +

What it does: runs as an Apache module on an Apache Web server; performs transformations and returns the output to a Web + browser. You configure Apache to respond to a given URL request for an output file (html or txt file in the configuration below) + by applying an xsl stylesheet file to an xml document file (both with the specified name in a given location) and returning + the transformation output to the client.

+

This sample also illustrates use of the XalanTransformer class and the C API defined in src/XalanTransformer/XalanCAPI.h. It returns + transformation output in blocks to a callback function, which enables the browser to start displaying the result before the transformation + has been completed.

+ + + + + +

+ +	You may need to adjust the Visual C++ or Makefile settings to locate the required Apache header files. As shipped, the Visual C++ + project file looks in \Apache Group\Apache\src\include, and the UNIX Makefile looks in usr/lib.

+

To build the Apache module, follow the instructions in Steps for doing a Windows + build or Steps for doing a UNIX build. For UNIX platforms, you do the build with
+ gmake ApacheModuleXSLT.

+ +

+

Setting up and using ApacheModuleXSLT

+

To use ApacheModuleXSLT, do the following:

+

(UNIX only) Be sure the Xalan and Xerces libraries are on your library path (you can accomplish this by copying them to + /usr/lib; see Setting up the path/library path), and copy the Apache module to + /usr/lib/apache.
+
+
Add LoadModule and (UNIX only) AddModule entries to the Apache configuration file: httpd.conf.
+
+ Windows: LoadModule xslt_module Xalan-C_1_11_0-<my_Windows_distribution>\bin\ApacheModuleXSLT.dll +
+
+ UNIX: AddModule mod_xslt.c +
+ and
+ LoadModule xslt_module /usr/lib/apache/mod_xslt. +xx + + +
+
+ where +xx + is the appropriate library suffix for the UNIX platform ("so" or "a").
+
+
Add a <Location> entry to httpd.conf that indicates where xml/xsl file pairs are to be found, and what target file extensions + to recognize. We suggest the following:
+
+ <Location /xslt> +
+ AddHandler mod_xslt .html +
+ AddHandler mod_xslt .txt +
+ </Location> +
+
+ This <Location> element instructs the module to respond to requests for +xxx +.html and +xxx +.txt files in the + in the xslt subdirectory (under the document root; see next item) by applying the +xxx +.xsl stylesheet to +xxx +.xml + (both in that directory) and returning the transformation result to the browser.
+
+ For example, a request for foo.html instructs the module to apply foo.xsl to foo.xml and return the result.
+
+ Note: It is up to the stylesheet to apply the appropriate xsl:output method to the output. Whether the user specifies html or txt is, of + itself, immaterial.
+
+
Put xml/xsl file pairs in the <Location> subdirectory (xslt in the example)) under the document root directory specified in + httpd.conf by the DocumentRoot and <Directory> settings. Alternatively, you can modify these settings to point to + Xalan-C_1_11_0-<my_UNIX_distribution>/samples/ApacheModuleXSLT, which includes an xslt subdirectory with xml/xsl file pairs + (foo.xml/xsl, apachemod.xml/xsl).
+
+
Start the Apache server.
+
+
From a Web browser, call the module with a URL as follows:
+ http:// +serverName +/xslt/ +xxx +.html +
+ where +serverName + is the Apache server (such as www.myServer.com) and +xxx + is the name of an xml/xsl pair of files + (such as foo.xml and foo.xsl) in the xslt subdirectory under the DocumentRoot directory.
+
+ For example,
+ http://www.myServer.com/xslt/apachemod.html +
+ instructs ApacheModuleXSLT to apply the apachemod.xsl stylesheet to the apachemod.xml XML document (both files in the xslt directory + under the Apache DocumentRoot directory) and return the transformation result to the browser.

+ + + +‌ +

+

CompileStylesheet

+

What it does: Use a compiled stylesheet to perform a series of transformations.

+

You can run it from the CompileStylesheet subdirectory with

+

+CompileStylesheet +

+

See also: Compiling stylesheets.

+ + +‌ +

+

DocumentBuilder

+

What it does: Use a DocumentBuilder to programmatically construct an XML document, apply the foo.xsl stylesheet to + this document, and write the ouput to foo.out.

+

You can run it from the DocumentBuilder subdirectory with

+

+DocumentBuilder +

+ + +‌ +

+

ExternalFunctions

+

What it does: implement, install, and illustrate the usage of three extension functions. The functions return a + square root, a cube, and a string with the current date and time. The sample stylesheet (foo.xsl) gets the area + of a cube and units of measurement from an XML document (foo.xml), computes the length of each side + of a cube and the volume of the cube, and enters the date and time of the transformation. The output appears in + foo.out.

+

Run this sample from the ExternalFunctions subdirectory with

+

+ExternalFunctions +

+

See also: Extension Functions.

+ + +‌ +

+

ParsedSourceWrappers

+

What it does: performs a transformation with input in the form of a pre-built XercesDOM or XalanSourceTree.

+

Run this sample from the ParsedSourceWrappers subdirectory with

+

+ParsedSourceWrappers +

+

See transformXercesDOM() and transformXalanSourceTree() as called by transform() in ParsedSourceWrappers.cpp.

+ + +‌ +

+

SerializeNodeSet

+

What it does: Serialize the node set returned by the application of an XPath expression to an XML document.

+

Run this sample from the SerializeNodeSet subdirectory with

+

+SerializeNodeSet +XMLFile + +ContextNode + +XPathExpression + + +

+

where +XMLFile + is an XML source file, +ContextNode + is the location path to the context + node, and +XPathExpression + is an XPath expression to apply to that context node. The SerializeNodeSet + directory contains the same foo.xml sample source file as the preceding examples.

+ + +‌ +

+

SimpleTransform

+

What it does: The SimpleTransform class uses the foo.xsl stylesheet to transform foo.xml, and writes the + output to foo.out. The source for this sample has been modified to demonstrate the usage of the new pluggable + memory management feature.

+

You can run it from the SimpleTransform subdirectory with

+

+SimpleTransform +

+

See also: Basic procedures for performing XSL + transformations.

+ + +‌ +

+

SimpleXPathAPI

+

What it does: Use the XPathEvaluator interface to evaluate an XPath expression from the specified context node of + an XML file and display the nodeset returned by the expression.

+ + + + + +

+ +	You can use this sample as an aid when you want to find out what a given XPath expression returns from a + given context node in an XML file.

+

Run this sample from the SimpleXPathAPI subdirectory with

+

+SimpleXPathAPI +XMLFile + +ContextNode + +XPathExpression + + +

+

where +XMLFile + is an XML source file, +ContextNode + is the location path to the context + node, and +XPathExpression + is an XPath expression to apply to that context node.

+ + + + + +

+ +	Keep in mind that the string value returned by an XPath expression is the string value of the first node in the + nodeset returned by the expresssion.

+

The XPathWrapper subdirectory contains an XML file named xml.foo (part of it appears below).

+

+

+<?xml version="1.0"?>
+<doc>
+  <name first="David" last="Marston">Mr. Marson</name>
+  <name first="David" last="Bertoni">Mr. Bertoni</name>
+  ...
+  <name first="Paul" last="Dick">Mr. Dick</name>
+</doc>
+

+

+

You can try command lines like

+

+SimpleXPathAPI foo.xml /doc name/@last +

+

and

+

+SimpleXPathAPI foo.xml / '//name[position()="4"]/@first' +

+ + + + + +

+ +	If a SimpleXPathAPI argument includes characters (such as *) that the shell interprets incorrectly, enclose the argument + in double quotes.

+

See also: Working with XPath expressions.

+ + +‌ +

+

SimpleXPathCAPI

+

What it does: Use the XPathEvaluator C interface to evaluate an XPath epxeression and display the string value returned + by the epxression.

+ + + + + +

+ +	Keep in mind that the string value returned by an XPath expression is the string value of the first node in the nodeset + returned by the epxresssion.

+

Run this sample from the SimpleXPathCAPI subdirectory with

+

+SimpleXPathCAPI +XMLFile + +XPathExpression + + +

+

where +XMLFile + is an XML source file, and +XPathExpression + is an XPath expression to apply to the XML + source file. The SimpleXPathCAPI subdirectory contains an XML file named xml.foo identical to foo.xml in the preceding + example.

+

You can try command lines like

+

+SimpleXPathCAPI foo.xml /doc/name[3] +

+ + +‌ +

+

StreamTransform

+

What it does: The StreamTransform class processes character input streams containing a stylesheet and an XML document, and + writes the transformation output to a character output stream. This sample illustrates the process for working with stylesheets + and documents that you assemble in memory.

+

You can run it from the SimpleTransform subdirectory with

+

+StreamTransform +

+ + +‌ +

+

ThreadSafe

+

What it does: Multiple threads use a single compiled stylesheet (StylesheetRoot) and DOM source tree (XalanNode) to perform + transformations concurrently. The application tracks the progress of the threads in messages to the console, and each thread + writes its own output file. Imagine a server application responding to multiple clients who happen to request the same + transformation.

+

You can run it from the ThreadSafe subdirectory with

+

+ThreadSafe +

+

See also: Compiling stylesheets.

+ + +‌ +

+

TraceListen

+

What it does: Trace events during a transformation; the transformation uses birds.xsl to transform birds.xml and writes the + output to birds.out.

+

You can run it from the TraceListen subdirectory with

+

+TraceListen +traceFlags + + +

+

where +traceFlags + is one or more of the following:

+

-tt (Trace the templates as they are being called)

+

-tg (Trace each result tree generation event)

+

-ts (Trace each selection event)

+

-ttc (Trace the template children as they are being processed)

+

These flags are also available in the command-line utility (TestXSLT).

+

The core of this example is the following fragment:

+

+

+// Set up a diagnostic writer to be used by the TraceListener...
+XalanStdOutputStream  theStdErr(cerr);
+XalanOutputStreamPrintWriter  diagnosticsWriter(theStdErr);
+// Make sure that error reporting, which includes any TraceListener 
+// output does not throw exceptions when transcoding, since that could 
+// result in an exception being thrown while another exception is active.
+// In particular, characters that the TraceListener writes might not be 
+// representable in the local code page.
+theStdErr.setThrowTranscodeException(false);
+
+// Set up the TraceListener...
+// traceTemplates, traceTemplateChildren, traceGenerationEvent,
+// and TraceSelectionEvent are booleans set by the command line.
+TraceListenerDefault theTraceListener(
+        diagnosticsWriter,
+        traceTemplates,
+        traceTemplateChildren,
+        traceGenerationEvent,
+        traceSelectionEvent);
+
+// Add the TraceListener to the XSLT processor...
+theProcessor.setTraceSelects(traceSelectionEvent);
+theProcessor.addTraceListener(&theTraceListener);
+
+// Perform the transformation
+....
+

+

+ + +‌ +

+

TransformToXercesDOM

+

What it does: Performs a simple transformation but puts the result in a Xerces DOMDocument

+

Run this sample from the TransformToXercesDOM subdirectory with

+

+TransformToXercesDOM +XMLFile + +XSLFile + + +

+

where +XMLFile + is a source XML file, and +XSLFile + is the XLST input file. The program will use + +XSLFile + to transform the input file +XMLFile + using Xerces DOM as the output destination.

+

See the FormatterToXercesDOM usage in the sample code.

+ + +‌ +

+

UseStylesheetParam

+ +

What it does: Performs a transformation using top-level stylesheet parameters. There are three supported types of parameters. One is a text string. A second is a number of type double. A nodeset or parsed document can also be used.

+ +

You can run it from the UseStylesheetParam subdirectory with

+ +

+UseStylesheetParam +xmlfile + +stylesheet + +outfile + [options] +

+ +

where the options are:

+ +

+ -s key "'String-Value'" +
+ -n key Number +
+ -d key "Document-URL" +

+ +

The files used by the sample program and the top-level parameter nodesets for this illustration are to be in working directory in which the sample program runs.

+ +

Using the sample program:

+ +

+UseStylesheetParam foo.xml foo.xslt foo.out \ + -s stringA "'This is a test string value'" \ + -n numberA 123.012345 \ + -d parmA "parmA.xml" \ + -d parmB "parmB.xml" +

+ +

The +parmA.xml + and +parmB.xml + are parsed and converted to nodesets. The stylesheet +foo.xslt + merges the contents of +foo.xml + and the parameters into the +foo.out + file.

+ +

The source sample is implemented in C++. Another example is implemented in 'C' using the XalanCAPI library +TestCAPIparm.c +. The usage interface for both is the same.

+ +

See also: Setting stylesheet parameters.

+ + +‌ +

+

XalanTransform

+

What it does: XalanTransform uses the XalanTransformer class and the associated C++ API to apply an XSL stylesheet + file to an XML document file and write the transformation output to either an output file or to a stream. XalanTransform + takes command-line arguments for the XML document to be transformed, the XSL stylesheet to apply, and an optional output + file argument. If you omit the third argument, XalanTransform writes the transformation output to a stream that is sent to + standard out (the console).

+

You can run XalanTransform from the XalanTransform subdirectory with

+

+XalanTransform foo.xml foo.xsl foo.out +

+

Omit the third argument to write the transformation result to the console. See also: Using the XalanTransformer class..

+ + +‌ +

+

XalanTransformerCallback

+

What it does: Return transformation output in blocks to a callback function, which writes the output to a file. + This sample illustrates the use of a callback function to incrementally process a transformation result, that is to begin + working with the transformation result before the transformation has been completed. See Processing output incrementally.

+

You can run it from the XalanTransformerCallback subdirectory with

+

+XalanTransformerCallback foo.xml foo.xsl [foo.out] +

+ + + + + +

+ +	If you omit the third argument, the transformation result is written to the console.

+ + +

+

+ + + Added: xalan/site/docs/xalan/xalan-c/secureweb.html URL: http://svn.apache.org/viewvc/xalan/site/docs/xalan/xalan-c/secureweb.html?rev=1350856&view=auto ============================================================================== --- xalan/site/docs/xalan/xalan-c/secureweb.html (added) +++ xalan/site/docs/xalan/xalan-c/secureweb.html Sat Jun 16 03:57:36 2012 @@ -0,0 +1,586 @@ + + + + +ASF: XML Security Overview + + + + + + +

+ + + + + + + + + + +

+ + + +	+Xalan-C/C++ Version 1.11 +
+ + + +	XML Security Overview

+ + + + + + + + + + +

+Apache Foundation +

+Xalan Project +

+Xerces Project +

+Web Consortium +

+

+

+

+Resources +
+
+Home +

+Overview +
+Charter +

+Xalan-C FAQs +

+Bugs +
+Testing +
Web Security
+

+

+

+

XML Security Overview

+

+XML Parser Threats +
+Resolving External Entities +
+Trusted External Entities +
+Processing Instruction (PI) Threats +
+SOAP Simple Object Access Protocol +
+WSDL Web Service Description Language +
+URI Uniform Resource Identifiers +
+URL Uniform Resource Locators +
+Malformed UTF-8 and UTF-16 Strings +
+Canonical XML Issues +
+XHTML Output Mode - Workaround +

+ +
+

+This document goes well beyond XSLT. Use it as a general reference. +

+

There are numerous security issues and problems that are +endemic to the XML architecture. +I will try to identify some of the most common issues and threats +and describe some mitigation strategies. +

+

The biggest threat issue is a matter of trust. +How well do you trust your sources of XML data? +What are the tools that can help increase the trust? +

+

Most Web Service communications uses HTTP over standard TCP ports. +The HTTP protocol on standard TCP ports has free access through business firewalls. +How well do your proxy servers handle the Web Service security issues +required for your applications? +

+

How well are your resource identifiers protected? +How well do your applications cope with resource identifier spoofing? +Can your resource identifiers be trusted by outside clients? +Can you trust the credentials of your clients? +

+

Will the SOAP interface for your Web Service send error messages +to an untrusted Web Service address? +

+

Is your WSDL interface description file readily available for download, +thus enabling persons with malicious intent to create targeted attacks on your Web Services? +

+

Can you trust the client credentials that use your Web Service application? +

+

There are numerous security issues that are not directly involved in +the markup of XML or its processing. +These issues relate to infrastructure. +

+

Can you trust your DNS (Domain Name Service) and reduce its vulnerability to hijacking? +

+

Are your web servers hardened against known application vulnerabilities? +

+

Are your applications hardened against +cross site scripting and SQL injection? +

+

Can your client applications trust the scripts +that are transmitted as web pages? +

+

Can your web server trust the scripts that are submitted? +

+

Is application data sanitized before being consumed by your applications? +

+ +‌ +

+

XML Parser Threats

+ +

This list will help you find the XML threat vectors that need to be addressed. +Some vectors cannot be easily resolved. +

+

Resolving External Entities
Implicit Trust of Internal DTD
Resource Identifier Spoofing
Malformed UTF-8 and UTF-16
Secure the trust of external DTD descriptions
Secure the trust of external Schema definitions
Secure the trust of entity import and include constructs
Configuration of Entity Resolver Catalogs

+ + +‌ +

+

Resolving External Entities

+ +

The XML1.0 and XML1.1 standards specify a DOCTYPE format. +The processing may uncover significant entity resolver deficiencies. +

+ +

+<!DOCTYPE name PUBLIC "public-id" "system-id" [internal-DTD]> +
+<!DOCTYPE name SYSTEM "system-id" [internal-DTD]> +

+

XML Parsers MUST process the [internal-DTD] if it exists. +

+

XML Parsers MAY process the external "system-id" if it can be found. +

+

XML Parsers MAY process the external "public-id" if it can be found. +

+

XML Parsers MAY prefer either the "public-id" or "system-id" +if both are specified. +

+

XML Parsers MAY ignore both the "public-id" and "system-id" +if present. +

+

Declaring a parameter entity notation "%entity;" +in the [internal-DTD] and expanding the content within the +[internal-DTD] will force the XML parser to import the content +referenced by the "%entity;" notation. +

+

Declaring a general entity notation "&entity;" in the +[internal-DTD] and expanding the content within the body of +the XML document will force the XML parser to import the content referenced +by the "&entity" notation. +

+

The default method of resolving external entities is by resolving entity +name strings relative to DNS named hosts and/or path names relative to the +local computer system. When receiving XML documents from an outside source, +these entity reference locations may be unreachable, unreliable, or untrusted. +

+

Web Service SOAP XML documents MUST NOT have DOCTYPE definitions. +SOAP processors should not process DOCTYPE definitions. +The conformance is implementation dependent. +

+

+http://www.w3.org/TR/soap +

+ + +‌ +

+

Trusted External Entities

+ +

The +OASIS XML Catalogs + specification, if implemented by an application, +can specify a set of external entities that can be trusted by mapping known +identifiers to local or trusted resources. A secure application should +not trust entity identifiers whose resources cannot be localized and secured. +

+

+http://www.oasis-open.org/committees/entity +

+

A similar method can be designed specifically for each application. +

+

A trusted application may need to pre-screen any entity definitions in XML +before passing the information into the core of the application. +

+

A trusted application should install some type of entity resolving catalog +or database that can be trusted. +

+ + +‌ +

+

Processing Instruction (PI) Threats

+ +

Processing instructions are a mechanism to send specific information +into an application. A common processing instruction is a +stylesheet declaration. +This information is part of an XML document and comes usually +after the XML header and before the root element. +

+

A stylesheet declaration may cause an application to look for an +untrusted XSLT stylesheet to use for transformation of the +following root element. A standard exists for associating style sheets with XML documents. +

+

+http://www.w3.org/TR/xml-stylesheet +

+

Examples in the xml-stylesheet recommendation describes how to use the +processing instruction to associate CSS stylesheets for XHTML. +Applications that use XSLT transformations will interpret the +xml-stylesheet processing instruction as the location of a +XSLT transformation stylesheet. +

+

As more processing instructions become standardized and in common use, +their threat of misuse increases. +

+ + +‌ +

+

SOAP Simple Object Access Protocol

+ +

The SOAP specification explicitly forbids the transport of +DOCTYPE definitions and PI processing instructions. +

+

The SOAP specifies a transport envelope that encapsulates +an XML message for transport. SOAP can also handle various +transmission status indicators implying confirmation of delivery, +error messages, and queue status messages. +SOAP transports can be loosely coupled and intermittent. +SOAP is used extensively in the design and deployment of Web Service architectures. +A companion Web Service specification is WSDL, the Web Service Definition Language. +

+

The SOAP protocol as widely deployed by Microsoft and other vendors +is based on specifications that predate the adoption +by the World Wide Web Consortium (W3C). +SOAP is not based on Microsoft technology. +It is an open standard drafted by UserLand, Ariba, Commerce One, Compaq, +Developmentor, HP, IBM, IONA, Lotus, Microsoft, and SAP. +SOAP 1.1 +was presented to the W3C in May 2000 as an official Internet standard. +

+

The original SOAP 1.1 standard +is associated with this URI namespace prefix. +

+

+http://schemas.xmlsoap.org/soap/ +

+

There are significant changes in naming conventions since SOAP 1.1 +was adopted by W3C as a recommended standard. +The current iteration is SOAP 1.2 +and is associated with this URI namespace prefix. +

+

+http://www.w3.org/2003/05 +

+

The basic security threat to the SOAP architecture is +the ability to spoof Web Service addresses and telling a +SOAP server to respond to a rogue Web Service address +when a mustUnderstand attribute is processed +and an error indication is raised. +

+

Other intelligence that can be obtained might be the +location of a public accessible WSDL definition +of the messages being transported by SOAP, +thus allowing additional malware attacks to be automatically generated. +

+ + +‌ +

+

WSDL Web Service Description Language

+ +

WSDL is known as the Web Service Description Language. +The WSDL XML document is a an interface description that can be transformed +into various programming languages. +Such transformed interface descriptions are recognized as +Java Interfaces and C++ Virtual Classes. +

+

The original WSDL 1.1 standard +is associated with this URI namespace prefix. +

+

+http://schemas.xmlsoap.org/wsdl/ +

+

The current WSDL 2.0 standard +is maintained by W3C in their namespace with prefix. +

+

+http://www.w3.org/ +

+

The WSDL can provide a template for generating a compliant Web Service systems +for multiple and hetrogeneous platforms. +

+

A WSDL document that can benefit developers can also be used by malware +and hackers to taylor specific threats against targeted Web Services. +

+

The SOA (Service Oriented Architecure), +SAAS (Software As A Service), +PAAS (Platform As A Service) are families of +Web Services used as interfaces into what is +generally known as Cloud Computing. +

+ + +‌ +

+

URI Uniform Resource Identifiers

+ +

The URI does not need to specify the location of a resource. +It merely provides a resource name. A catalog, database, +or other mechanism is used to map URIs to resource locations. +

+

The security issue here is that most URIs are used with a +DNS (Domain Name Service) to find a host and path to a resource. +The URI is then treated as a URL (Uniform Resource Locator). +

+

The mitigation of these threats requires diligence of the +application architects to ensure an appropriate level of trust +for the URIs and URLs used in their applications. +

+

The transmission media is inherently untrusted. +Often SOAP bindings and HTTP transports are used. +Web Service addressing is readily spoofed. +

+ + +‌ +

+

URL Uniform Resource Locators

+ +

See: URI Uniform Resource Identifiers +

+ + +‌ +

+

Malformed UTF-8 and UTF-16 Strings

+ +

Public Key Infrastructure (X.509) certificates are leased from a +certificate authority or are self-signed. +The distinguished names and parts thereof are usually rendered in unicode. +

+

The value of zero is not a valid Unicode character. +It is possible to create non-zero UTF-8 and UTF-16 sequences that equate to zero, +which is not allowed. +Some rogue hackers have successfully obtained wild-card PKI (X.509) certificates +by prepending a UTF-8(zero) in a distinguished name when applying for a certificate. +Such a certificate could be used to successfully sign anything. +

+

Applications should not blindly accept UTF-8 and UTF-16 strings +without verifying the proper encoding for those strings. +Contents that equate to bad Unicode character values should be denied. +

+ + +‌ +

+

Canonical XML Issues

+ +

Canonical XML is a tranformation of an XML document into a +canonical form useful for signing. +This is used in some Web Service security implementations. +

+

There are several areas where Canonical XML will create XML documents +that have severe application problems. +

+

The number values are rendered in Base-10 as decimal fractions. +The computations performed by computers are usually in Base-2 floating point arithmetic. +You therefore have truncation or roundoff issues when converting between +decimal fractions and Base-2 fractions. +

+

The canonical process may collapse whitespace and transform +multi-character line endings to single-character line endings. +When whitespace is significant, the canonical issues for signing can cause problems. +

+

It is possible to create XHTML documents that will not work with some browsers. +The empty <a/> anchor element is not allowed by many browsers, +therefore <a></a> is required. +A standard XML canonical process may collapse elements with no content into empty elements. +The empty paragraph<p/> is disallowed. The <p></p> is supported. +

+

The World Wide Web Consortium (W3C) has additional detailed discussion of +canonicalization issues. +

+ + +‌ +

+

XHTML Output Mode - Workaround

+ +

The Xalan-C/C++ library currently has no XHTML output mode. +Since XHTML is to be well-formed XML, the desire is to use the XML output method. +

+

XHTML is based on HTML version 4. +

+

Empty elements declared by HTML-4 should have a space before the +trailing '/>' markup (i.e. <br /> and <hr />). +XML output mode does not normally have this space when using +the <xsl:element name="br" /> in your stylesheet. +Most modern browsers are ok with no space, but viewing the +browser source shows a warning condition. +

+

Non-empty elements declared by HTML-4 should not be rendered as empty XML elements. +If there is no content, the elements should be rendered with both a start-tag and end-tag +(i.e. <a name="xxx"></a>) instead of an XML empty-element. +XSLT processors usually create an empty-element +(i.e. <a name="xxx"/>) when the element being defined has no content +other than attributes. +

+

For XSLT processors creating XML documents for XHTML, +you can create what looks like an element with no content by including +the ‌ character +(a zero-width non-joining character often known as &zwnj;) +as the element text content. +This also allows transitional browsers the ability to find the end tag. +

+

+

+

  DTD    <!ENTITY zwnj    "&#8204;">
+
+  <a name="marker">&zwnj;</a>

+

+

+

Transitional XHTML is not usually well-formed XML. +It becomes a mix of HTML version 4 and XML markup. +Strict XHTML is required to be well-formed XML. +

+ +

+

+ + + --------------------------------------------------------------------- To unsubscribe, e-mail: xalan-cvs-unsubscribe@xml.apache.org For additional commands, e-mail: xalan-cvs-help@xml.apache.org