Merged V4.1-BUG-FIX to HEAD

39828: Merged V4.1 to V4.1-BUG-FIX
      39827: Merged PATCHES/V4.0.2 to V4.1
         39825: ALF-13453 / ALF-13844: Merged V3.4-BUG-FIX to PATCHES/V4.0.2
            39823: ALF-13552, ALF-13978: Reverse merged the following revisions - won't fix due to regressions and not a serious vulnerability
               35341: ALF-13552: Merged V4.0 to V3.4
                  35296: ALF-13453: Merged V4.0-BUG-FIX to V4.0
                     35295: Fix for ALF-13453: Remote Code Execution (can create reverse shell)
                  35304: ALF-13453: Extra fix to ensure xalan namespace isn't declared with global scope and can't be hijacked by an input stylesheet
                  35307: ALF-13453: Duplicated extra fix to duplicate code in XSLTRenderingEngine!
               36101: ALF-13978: Merged V4.0-BUG-FIX to V3.4
                  36014: ALF-13844: XSLT Filtering Not 100% Secure
                     - added more namespaces to the security filter.
                     - verified that include/import uses the security filter.
               36108: ALF-13978: Fixed compilation errors
            39824: ALF-13552, ALF-13978: Fixed compilation errors


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@39829 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/web/forms/XSLTRenderingEngine.java

@@ -40,9 +40,9 @@ import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
 import org.alfresco.service.namespace.QName;
+import org.alfresco.util.XMLUtil;
 import org.apache.bsf.BSFManager;
 import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang.exception.ExceptionUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.xml.dtm.ref.DTMNodeProxy;
@@ -55,8 +55,6 @@ import org.w3c.dom.traversal.NodeFilter;
 import org.w3c.dom.traversal.NodeIterator;
 import org.xml.sax.SAXException;
 
-import org.alfresco.util.XMLUtil;
-
 /**
  * A rendering engine which uses xsl templates to render renditions of
  * form instance data.
@@ -261,12 +259,14 @@ public class XSLTRenderingEngine
       final Element docEl = xslTemplate.getDocumentElement();
       final String XALAN_NS = Constants.S_BUILTIN_EXTENSIONS_URL;
       final String XALAN_NS_PREFIX = "xalan";
+      docEl.setAttribute("xmlns:" + XALAN_NS_PREFIX, XALAN_NS);
 
       final Set<String> excludePrefixes = new HashSet<String>();
       if (docEl.hasAttribute("exclude-result-prefixes"))
       {
          excludePrefixes.addAll(Arrays.asList(docEl.getAttribute("exclude-result-prefixes").split(" ")));
       }
+      excludePrefixes.add(XALAN_NS_PREFIX);
 
       final List<String> result = new LinkedList<String>();
       for (QName ns : methods.keySet())
@@ -385,7 +385,7 @@ public class XSLTRenderingEngine
       Document xslTemplate = null;
       try
       {
-         xslTemplate = XMLUtil.secureParseXSL(ret.getInputStream());
+         xslTemplate = XMLUtil.parse(ret.getInputStream());
       }
       catch (final SAXException sax)
       {
@@ -448,7 +448,7 @@ public class XSLTRenderingEngine
 
             try
             {
-               final Document d = XMLUtil.secureParseXSL(in);
+               final Document d = XMLUtil.parse(in);
                if (LOGGER.isDebugEnabled())
                   LOGGER.debug("loaded " + XMLUtil.toString(d));
                return new DOMSource(d);
@@ -481,12 +481,7 @@ public class XSLTRenderingEngine
             final StringBuilder msg = new StringBuilder("errors encountered creating tranformer ... \n");
             for (TransformerException te : errors)
             {
-            	msg.append(te.getMessageAndLocation()).append("\n");
-            	String cause = ExceptionUtils.getRootCauseMessage(te);
-            	if (cause != null) 
-            	{
-            		msg.append(" caused by: " + cause);
-            	}
+               msg.append(te.getMessageAndLocation()).append("\n"); 
             }
             throw new RenderingEngine.RenderingException(msg.toString());
          }
@@ -522,11 +517,6 @@ public class XSLTRenderingEngine
          for (TransformerException te : errors)
          {
             msg.append(te.getMessageAndLocation()).append("\n"); 
-            String cause = ExceptionUtils.getRootCauseMessage(te);
-        	if (cause != null) 
-        	{
-        		msg.append(" caused by: " + cause);
-        	}
          }
          throw new RenderingEngine.RenderingException(msg.toString());
       }