JDK-8343002 : Adjust XSLT and XPath Extension Function Property
  • Type: CSR
  • Component: xml
  • Sub-Component: jaxp
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 24
  • Submitted: 2024-10-24
  • Updated: 2024-11-05
  • Resolved: 2024-11-05
Related Reports
CSR :  
JDK-8343001 - Adjust XSLT and XPath Extension Function Property
Description
Summary
-------

Change the default setting to disallow Extension Functions.

Problem
-------

XSLT and XPath Extension Functions can be useful in scenarios where you need to integrate custom logic into the transformation process, that extends the capabilities of XSLT by leveraging Java APIs. However, extension functions come with significant drawbacks. They make transformations more complex, blending concerns between transformation and application logic. They are hard to maintain and debug, and reduce portability. More importantly, allowing XSLT stylesheets to execute Java code can be a security concern. It is therefore better to avoid extension functions, keeping transformations purely XSLT-based and handling complex logic separately within the application.

As indicated in [JEP 486](https://openjdk.org/jeps/486), Extension Functions are disabled when running with the Security Manager. The removal of the Security Manager is another reason that this feature should be disabled by default.

Solution
--------

Disable XSLT and XPath Extension Functions by default, specifically by setting [FEATURE_SECURE_PROCESSING (FSP)](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING) to true in the Transform API by default.

This change aligns the Transform API with other JAXP APIs such as DOM, SAX and Validation in having FSP on by default. Its impact is limited to the Extension Functions because other properties as listed in the [implementation specific properties](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/module-summary.html#IN_ISFPtable) table have already set the FSP-enabled values to the same as the default values of each property.

This change also does not change the [External Access Properties](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/javax/xml/XMLConstants.html#EAP) because they require FSP to be explicitly set via the JAXP APIs.

This solution does not include the XPath API. The XSLT and XPath Extension Functions in this CSR refer to the XSLT Extension Functions and functions within XPath expressions in XSLT, but not the ones used in the XPath API. The XPath API uses an user-defined [XPathFunctionResolver](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/javax/xml/xpath/XPathFunctionResolver.html) to resolve any functions specified in the XPath expression. It therefore does not suffer the drawbacks as in the Transform API.
 
**Compatibility and solution**

If an application handles XML transformation with a stylesheet that uses Extension Functions, it may encounter processing error such as the follows:

    Use of the extension function '[function name]' is not allowed when extension functions are disabled
    by the secure processing feature or the property 'jdk.xml.enableExtensionFunctions'. To enable extension
    functions, set 'jdk.xml.enableExtensionFunctions' to 'true'.

For applications that require extension functions, the solution is to set the property `jdk.xml.enableExtensionFunctions` to true. This can be done via the Transform API, e.g.

            transformerFactory = TransformerFactory.newInstance();
            transformerFactory.setFeature("jdk.xml.enableExtensionFunctions", true);

Or in the JAXP Configuration File. A [template for creating Strict JAXP Configuration File](https://bugs.openjdk.org/browse/JDK-8330605), jaxp-strict.properties.template, was provided in JDK 23 for developers to assess and prepare for this type of changes. To set the property, copy the template and create a custom configuration file:

    cp $JAVA_HOME/conf/jaxp-strict.properties.template. /<my_path>/jaxp-strict.properties

Edit and change the setting as follows:

    jdk.xml.enableExtensionFunctions=true

Furthermore, as a system property, the property can also be set on the commandline, e.g.:

    java -Djdk.xml.enableExtensionFunctions=true myApp` 


Specification
-------------

Update the java.xml module description, table [Implementation Specific Properties](https://docs.oracle.com/en/java/javase/23/docs/api/java.xml/module-summary.html#IN_ISFPtable):

<pre>
    Name					             Value (default)
-  jdk.xml.enableExtensionFunctions      true
+  jdk.xml.enableExtensionFunctions      false
</pre>
Comments
I see a release note is already planned; moving to Approved.
05-11-2024