I would like the ability to provide an escape utility that can be used in an XSL Stylesheet. For example:
<xsl:stylesheet version="2.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xalan="http://xml.apache.org/xalan"
xmlns:escape="xalan://com.example.myservice.MyEscapeTool">
However, in terms of Java, my understanding is that lack of the following setting on your TransformerFactory can be insecure:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
So I did that, but understandably this blocks your ability to use "external function calls" with the following runtime error:
FATAL: XPath syntax error at char 12 in {escape:new()}:
Cannot find a matching 0-argument function named
{java:com.example.myservice.MyEscapeTool}new(). Note: external
function calls have been disabled;
Removing the aforementioned FEATURE_SECURE_PROCESSING flag will fix the issue.
How can I include a utility function that can be called in XSLT, without causing a loss in security with the ability to expose ANY arbitrary Java class?
As @MartinHonnen points out in his comment, if you switch to using Saxon, then you can restrict the stylesheet to use only "integrated extension functions" which are registered with the XSLT processor prior to execution, without allowing the stylesheet to call any class/method that happens to be on the classpath.