From 1d019598483c246642098984aa3bda9f1cbc0cbc Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Fri, 14 Nov 2025 14:26:36 +0100
Subject: [PATCH] Add Xalan Java security documentation

---
 stylebook/sources/xalan/index.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/stylebook/sources/xalan/index.xml b/stylebook/sources/xalan/index.xml
index 8d2edeadc..a87c94943 100644
--- a/stylebook/sources/xalan/index.xml
+++ b/stylebook/sources/xalan/index.xml
@@ -367,4 +367,14 @@ in the Xalan-Java distribution..</p>
  <p>For the licences that apply to the JARs other than xalan.jar, see the licenses and 
     associated readme files in the root directory of this distribution.</p>
 </s2>
+
+<s2 title="Security">
+<p>Xerces and Xalan do what the XML specifications require by default. In some cases, this may not be appropriate behavior when working with untrusted input: the <jump href="https://apache.github.io/xalan-c/secureweb.html">XML Security Overview</jump> mentions some potential risks. There are multiple methods for blocking access to external entities and for disallowing DOCTYPE declarations, and it is up to the downstream user of Xalan to block/reject these constructs where appropriate.</p>
+<p>Specific to Xalan Java: some components, such as 'Transformer', will use your system's infrastructure for components such as the 'XMLReader' implementation. This means to use Xalan Java safely with untrusted input, you must also make sure those components are configured securely.</p>
+
+<p>If you think you have found a security issue in Apache Xalan, please follow the <jump href="https://www.apache.org/security/#reporting-a-vulnerability">reporting guidelines</jump></p>
+
+</s2>
+
+
 </s1>