8298676: Enhanced Look and Feel

mrserb · RealCLanger · commit 2b764cd7d061 · 2023-07-02T23:07:45.000+02:00
Reviewed-by: mbalao
Backport-of: 932ee4043e4a4a262a4c0b747f1367858f55198e
diff --git a/src/java.desktop/share/classes/javax/swing/plaf/synth/SynthLookAndFeel.java b/src/java.desktop/share/classes/javax/swing/plaf/synth/SynthLookAndFeel.java
@@ -615,6 +615,18 @@ public void load(InputStream input, Class<?> resourceBase) throws
      * <code>new URL(synthFile, path)</code>. Refer to
      * <a href="doc-files/synthFileFormat.html">Synth File Format</a> for more
      * information.
+     * <p>
+     * Whilst this API may be safe for loading local resources that are
+     * delivered with a {@code LookAndFeel} or application, and so have an
+     * equal level of trust with application code, using it to load from
+     * remote resources, particularly any which may have a lower level of
+     * trust, is strongly discouraged.
+     * The alternative mechanisms to load styles from an {@code InputStream}
+     * {@linkplain #load(InputStream, Class)}
+     * using resources co-located with the application or by providing a
+     * {@code SynthStyleFactory} to
+     * {@linkplain #setStyleFactory setStyleFactory(SynthStyleFactory)}
+     * are preferred.
      *
      * @param url the <code>URL</code> to load the set of
      *     <code>SynthStyle</code> from
diff --git a/src/java.desktop/share/classes/javax/swing/plaf/synth/doc-files/synthFileFormat.html b/src/java.desktop/share/classes/javax/swing/plaf/synth/doc-files/synthFileFormat.html
@@ -70,6 +70,8 @@ <h1><a id="file">File Format</a></h1>
     <p>
       This example loads the look and feel from an input stream, using
       the specified class as the resource base to resolve paths.
+    </p>
+    <p>
       It is also possible to load a look and feel from an arbitrary URL
       as in the following example.
     </p>
@@ -94,6 +96,11 @@ <h1><a id="file">File Format</a></h1>
       <li>Remote JAR file, e.g.
         <code>jar:http://host/synth-laf.jar!/laf.xml</code></li>
     </ul>
+    <p>Note: Synth's file format allows for the definition of code to be executed.
+       Loading any code from a remote location should be used only
+       with extreme caution from a trusted source over a secure connection.
+       It is strongly discouraged for an application or a LookAndFeel to do so.
+    </p>
     <p>
       While the DTD for synth is specified, the parser is not validating.
       Parsing will fail only if a necessary attribute is not
