Fix for php 5.3.9 libxsl security "bug" fix
- by Question Mark
just this morning i updated my debian server to php 5.3.9 , change log (last item in list) has a fix for this bug and now when running any hosted site using XSL transforms i get:
Warning: XSLTProcessor::transformToXml(): Can't set libxslt security properties, not doing transformation for security reasons
I'm not using any <sax:output> tags in my xslt at all.
Does anybody have any information on this, current chatter about it is thin, so i'm i little lost.
Using the suggestion about switching ini settings on and off either side of -transformToXml():
ini_set("xsl.security_prefs", XSL_SECPREFS_NONE)
or
$xsl->setSecurityPreferences(XSL_SECPREFS_NONE)
brings me back to the same error
Many thanks.
Progress:
- Upgrading libxml and recompiling libxslt against the new version was a good suggestion, though has not fixed the issue.
- Compiling the latest php5.3 snapshot does not fix the issue.
Solution:
I'm unsure what actually solved this, very sorry for anyone else having the same problem. firstly i upgraded libxml, then applied a few patches, then went into php source for the xsl parser and added some debugging and a few tweaks, after a few compiles getting the configure args right the error went away and wasn't reproducible.
I would definitely recommend upgrading libxml as Petr suggested below and then grabbing the latest snapshot from php.net.
