-
Requirement
-
Resolution: Duplicate
-
Major
-
None
-
None
When JAXP secure processing features are added to Xerces (i.e., once Ron Sigal's Xerces PR is merged), WildFly will be using a SAXParserFactory implementation that disallows DOCTYPE declarations by default. This will cause a ServletException to occur when accessing any JSF .xhtml page that includes a DOCTYPE declaration. We should give users the option to override this default behaviour and allow DOCTYPE declarations for JSF apps, if desired. We can accomplish this as follows:
1) Add a "com.sun.faces.disallowDoctypeDecl" context parameter to Mojarra to explicitly specify whether or not DOCTYPE declarations should be allowed.
- I've created JAVASERVERFACES-4130 to track this and I've submitted a patch upstream to the Mojarra team.
2) Add a disallow-doctype-decl attribute to the JSF subsystem to specify the default value of the "com.sun.faces.disallowDoctypeDecl" context parameter for JSF apps.
- I've implemented the changes required for this:
https://github.com/fjuma/wildfly/commit/e6076549ea5c4b84a93dbe4ea0db9f8c2d65af26
If my patch for the new context parameter looks good to the Mojarra team, I can apply it to our Mojarra fork and submit a PR against WildFly with these changes.
- clones
-
WFLY-6545 Add an attribute to the JSF subsystem to specify whether or not DOCTYPE declarations in JSF deployments should be disallowed
- Closed