XML Processor breaks in android

[skbeh]

According to https://stackoverflow.com/questions/33337995/android-dom-xml-parser-that-supports-feature-secure-processing, DOM XML parser in android doesn't support FEATURE_SECURE_PROCESSING, so the processor breaks after Rhino 1.7.12 released.

[p-bakker]

Are you sure it's related to that commit? The changes that introduced the dependancy on FEATURE_SECURE_PROCESSING date back to 2019, to Rhino 1.7.12 if I'm not mistaken.

The SO link you included suggests to use xerces-for-android though

[tonygermano]

The shared commit appears to only reformat the code and not make any changes.

[skbeh]

I can confirm that the problem was introduced in Rhino 1.7.12 with

rhino/xmlimplsrc/org/mozilla/javascript/xmlimpl/XmlProcessor.java

Line 71 in d4021ee

dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

[skbeh]

The next line also breaks compatibility with Android as https://android.binarydoc.org/com.android/sdk/29/method?classfilelocation=javax.xml.parsers.documentbuilderfactory&seq=23&methodname=setXIncludeAware.

[p-bakker]

Had another look: this isn't a bug, because the both lines of codes that you say break compatibility are behind a feature flag (Context.FEATURE_ENABLE_XML_SECURE_PARSING), which defaults to true.

So, I think if you don't want to bundle and use the aforementioned 'xerces-for-android' and get secure XML processing, you can customize your Context and set the 'Context.FEATURE_ENABLE_XML_SECURE_PARSING' flag to false.

I'm leaving this case open for now, as we should document this (blocked by #954)