Don't accept entities with regular expression scopes through mdx import.

mdx/check_regscope.xsl

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+	check_regscope.xsl
+
+	Check for the presence of Shibboleth Scope elements containing regular expressions.
+	
+-->
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+	xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
+
+	<!--
+		Common support functions.
+	-->
+	<xsl:import href="../build/check_framework.xsl"/>
+
+	<xsl:template match="shibmd:Scope[@regexp='true']">
+		<xsl:call-template name="error">
+			<xsl:with-param name="m">
+				<xsl:text>regular expression in scope '</xsl:text>
+				<xsl:value-of select="."/>
+				<xsl:text>'</xsl:text>
+			</xsl:with-param>
+		</xsl:call-template>
+	</xsl:template>
+
+</xsl:stylesheet>

mdx/validation-beans.xml

@@ -278,6 +278,21 @@
         </property>
     </bean>
 
+    <!--
+        check_regscope
+        
+        Check for regular expressions in Shibboleth Scope elements.  Applied very selectively.
+    -->
+    <bean id="check_regscope" class="net.shibboleth.metadata.dom.XSLValidationStage"
+        init-method="initialize" lazy-init="true">
+        <property name="id" value="check_regscope"/>
+        <property name="xslResource">
+            <bean class="org.opensaml.util.resource.FilesystemResource">
+                <constructor-arg value="#{ systemProperties['basedir'] }/mdx/check_regscope.xsl"/>
+            </bean>
+        </property>
+    </bean>
+
     <!--
         check_reqattr
     -->
@@ -411,6 +426,7 @@
                 <ref bean="CHECK_std"/>
                 <ref bean="check_future"/>
                 <ref bean="check_saml2int"/>
+                <ref bean="check_regscope"/>
             </list>
         </property>
     </bean>