8370529: Enhance Path Factories Redux

Reviewed-by: abakhtin
Backport-of: 17aa6f32a5e5bfcd30f79f1a101b6fdfeeecd6cc

Author: Aleksei Voitylov

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathExpressionImpl.java

@@ -20,6 +20,7 @@
 
 package com.sun.org.apache.xpath.internal.jaxp;
 
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xml.internal.utils.WrappedRuntimeException;
 import com.sun.org.apache.xpath.internal.objects.XObject;
 import javax.xml.namespace.QName;
@@ -32,14 +33,15 @@
 import javax.xml.xpath.XPathFunctionResolver;
 import javax.xml.xpath.XPathVariableResolver;
 import jdk.xml.internal.JdkXmlFeatures;
+import jdk.xml.internal.XMLSecurityManager;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
 /**
  * The XPathExpression interface encapsulates a (compiled) XPath expression.
  *
  * @author  Ramesh Mandava
- * @LastModified: May 2022
+ * @LastModified: Nov 2025
  */
 public class XPathExpressionImpl extends XPathImplUtil implements XPathExpression {
 
@@ -49,21 +51,26 @@ public class XPathExpressionImpl extends XPathImplUtil implements XPathExpressio
      * from the context.
      */
     protected XPathExpressionImpl() {
-        this(null, null, null, null, false, new JdkXmlFeatures(false));
+        this(null, null, null, null, false, new JdkXmlFeatures(true),
+            new XMLSecurityManager(true),
+            new XMLSecurityPropertyManager());
     };
 
     protected XPathExpressionImpl(com.sun.org.apache.xpath.internal.XPath xpath,
             JAXPPrefixResolver prefixResolver,
             XPathFunctionResolver functionResolver,
             XPathVariableResolver variableResolver) {
         this(xpath, prefixResolver, functionResolver, variableResolver,
-             false, new JdkXmlFeatures(false));
+             false, new JdkXmlFeatures(true),
+            new XMLSecurityManager(true),
+            new XMLSecurityPropertyManager());
     };
 
     protected XPathExpressionImpl(com.sun.org.apache.xpath.internal.XPath xpath,
             JAXPPrefixResolver prefixResolver,XPathFunctionResolver functionResolver,
             XPathVariableResolver variableResolver, boolean featureSecureProcessing,
-            JdkXmlFeatures featureManager) {
+            JdkXmlFeatures featureManager, XMLSecurityManager xmlSecMgr,
+            XMLSecurityPropertyManager xmlSecPropMgr) {
         this.xpath = xpath;
         this.prefixResolver = prefixResolver;
         this.functionResolver = functionResolver;
@@ -72,6 +79,8 @@ protected XPathExpressionImpl(com.sun.org.apache.xpath.internal.XPath xpath,
         this.overrideDefaultParser = featureManager.getFeature(
                 JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER);
         this.featureManager = featureManager;
+        this.xmlSecMgr = xmlSecMgr;
+        this.xmlSecPropMgr = xmlSecPropMgr;
     };
 
     public void setXPath (com.sun.org.apache.xpath.internal.XPath xpath) {

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java

@@ -49,7 +49,7 @@
  * New methods: evaluateExpression
  * Refactored to share code with XPathExpressionImpl.
  *
- * @LastModified: June 2025
+ * @LastModified: Nov 2025
  */
 public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
 
@@ -171,7 +171,8 @@ public XPathExpression compile(String expression)
             // Can have errorListener
             XPathExpressionImpl ximpl = new XPathExpressionImpl (xpath,
                     prefixResolver, functionResolver, variableResolver,
-                    featureSecureProcessing, featureManager);
+                    featureSecureProcessing, featureManager,
+                    xmlSecMgr, xmlSecPropMgr);
             return ximpl;
         } catch (TransformerException te) {
             throw new XPathExpressionException (te) ;