When using the Java's TransformerFactory to XSL transform XML documents, the XSL document is allowed to call Java methods by default. This however could be a security issue when dealing with third party XSL documents.
To disallow calling Java methods from the XSD, set the FEATURE_SECURE_PROCESSING feature on the factory:
TransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
This will result in an TransformerException when transforming the documents:
Error: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true. Error during transformation javax.xml.transform.TransformerException: java.lang.RuntimeException: Use of the extension function 'java:new' is not allowed when the secure processing feature is set to true.