Oxygen XML Forum

In a project that was once upon a time validating fine on a Mac (oXygen v. 20), I am now (v. 21 on PC) getting the following message:

[ISO Schematron] xsl:result-document is disabled when extension functions are disabled. For security reasons the external function calls have been disabled because the Schematron file is not located inside a framework.

I tried unsuccessfully to find some background on this on the oXygenxml.com website. So in the interests of not just myself but other users trying to figure this out, I'll ask here about the rationale.

I understand that <xsl:result-document> can be dangerous, but what extra measure of security does a framework provide?

I see options for dis/allowing extension function calls with various Saxon engines under XSLT and XQuery operations, but why not allow something analogous at the XML > XML Parser > Schematron tab under Preferences?

Hello,

When the Schematron file is not from a safe location it is being run in a sandbox, with limited permissions. Frameworks, for example, are considered safe locations because they either came built-in with Oxygen or the user have installed them himself. The file from within the framework directory can thus be run with full permissions.
What you can do:

1. If you already have a framework then all you have to do is to move that Schematron file inside the framework directory.

2. You can go to Options->Preferences... on page Document Type Association / Locations and just add the directory where the Schematron is located as an additional frameworks directory. Not a very elegant solution but it is a quick fix without any undesired side effects.

3. If you set the system property com.oxygenxml.disable.security=true then Oxygen will not sandbox resource that are not from safe locations. Framework and plugin locations are considered safe.

I will add an issue to offer a check box inside preferences with the same functionality.

Best regards,
Alex

I have encountered this problem also (trying to use a saxon:path() function inside my Schematron file), and I would also vote for a checkbox on the Schematron preferences page to disable security checking for external functions.

(In this case I was able simply to substitute fn:path() for saxon:path() but the general issue remains.)

dsewell wrote: ↑Fri Nov 22, 2019 11:47 pm I have encountered this problem also (trying to use a saxon:path() function inside my Schematron file), and I would also vote for a checkbox on the Schematron preferences page to disable security checking for external functions.

Hi,

I'll add your vote for that check box and I will increase its priority.

Best regards,
Alex

+1 for a convenient way to disable this check.

Hello,

Thanks for your feedback.
I added your vote on the issue. We will update this thread when the issue will be solved.

Best Regards,
Octavian