From cfe1b19bbc67854e5163d55ee2590d1b3fdc5d9c Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Fri, 14 Nov 2025 14:26:36 +0100
Subject: [PATCH] Add Xalan Java security documentation

---
 stylebook/sources/xalan/index.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/stylebook/sources/xalan/index.xml b/stylebook/sources/xalan/index.xml
index 8d2edeadc..6ba63c6d9 100644
--- a/stylebook/sources/xalan/index.xml
+++ b/stylebook/sources/xalan/index.xml
@@ -367,4 +367,14 @@ in the Xalan-Java distribution..</p>
  <p>For the licences that apply to the JARs other than xalan.jar, see the licenses and 
     associated readme files in the root directory of this distribution.</p>
 </s2>
+
+<s2 title="Security">
+<p>Xalan does what the XML specifications require by default. In some cases, this may not be appropriate behavior when working with untrusted input: the <jump href="https://apache.github.io/xalan-c/secureweb.html">XML Security Overview</jump> mentions some potential risks. There are multiple methods for blocking access to external entities and for disallowing DOCTYPE declarations, and it is up to the downstream user of Xalan to block/reject these constructs where appropriate.</p>
+<p>Specific to Xalan Java: some components, such as 'Transformer', will use your system's infrastructure for components such as the 'XMLReader' implementation. This means to use Xalan Java safely with untrusted input, you must also make sure those components are configured securely.</p>
+
+<p>If you think you have found a security issue in Apache Xalan, please follow the <jump href="https://www.apache.org/security/#reporting-a-vulnerability">reporting guidelines</jump></p>
+
+</s2>
+
+
 </s1>