Schematron and external functions

Having trouble installing <oXygen/>? Got a bug to report? Post it all here.
whyme
Posts: 58
Joined: Fri Mar 08, 2013 8:58 am

Schematron and external functions

Post by whyme » Tue Mar 12, 2019 8:43 pm

In a project that was once upon a time validating fine on a Mac (oXygen v. 20), I am now (v. 21 on PC) getting the following message:
[ISO Schematron] xsl:result-document is disabled when extension functions are disabled. For security reasons the external function calls have been disabled because the Schematron file is not located inside a framework.
I tried unsuccessfully to find some background on this on the oXygenxml.com website. So in the interests of not just myself but other users trying to figure this out, I'll ask here about the rationale.

I understand that <xsl:result-document> can be dangerous, but what extra measure of security does a framework provide?

I see options for dis/allowing extension function calls with various Saxon engines under XSLT and XQuery operations, but why not allow something analogous at the XML > XML Parser > Schematron tab under Preferences?

alex_jitianu
Posts: 669
Joined: Wed Nov 16, 2005 11:11 am

Re: Schematron and external functions

Post by alex_jitianu » Thu Mar 14, 2019 3:35 pm

Hello,

When the Schematron file is not from a safe location it is being run in a sandbox, with limited permissions. Frameworks, for example, are considered safe locations because they either came built-in with Oxygen or the user have installed them himself. The file from within the framework directory can thus be run with full permissions.
What you can do:

1. If you already have a framework then all you have to do is to move that Schematron file inside the framework directory.

2. You can go to Options->Preferences... on page Document Type Association / Locations and just add the directory where the Schematron is located as an additional frameworks directory. Not a very elegant solution but it is a quick fix without any undesired side effects.

3. If you set the system property com.oxygenxml.disable.security=true then Oxygen will not sandbox resource that are not from safe locations. Framework and plugin locations are considered safe.

I will add an issue to offer a check box inside preferences with the same functionality.

Best regards,
Alex

Post Reply