When JAXP secure processing features are added to Xerces (i.e., once Ron Sigal's Xerces PR is merged), WildFly will be using a SAXParserFactory implementation that disallows DOCTYPE declarations by default. This will cause a ServletException to occur when accessing any JSF .xhtml page that includes a DOCTYPE declaration. We should give users the option to override this default behaviour and allow DOCTYPE declarations for JSF apps, if desired. We can accomplish this as follows:
1) Add a "com.sun.faces.disallowDoctypeDecl" context parameter to Mojarra to explicitly specify whether or not DOCTYPE declarations should be allowed.
- I've created JAVASERVERFACES-4130 to track this and I've submitted a patch upstream to the Mojarra team.
2) Add a disallow-doctype-decl attribute to the JSF subsystem to specify the default value of the "com.sun.faces.disallowDoctypeDecl" context parameter for JSF apps.
- I've implemented the changes required for this:
If my patch for the new context parameter looks good to the Mojarra team, I can apply it to our Mojarra fork and submit a PR against WildFly with these changes.