Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8216531

Change DOM parser to not produce a Text node with DocumentBuilderFactory.setExpandEntityReferences(false)

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: xml
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      low
    • Compatibility Risk Description:
      Hide
      Changing the behavior will cause applications that rely on the old behavior to fail. Specifically, if an application set ExpandEntityReferences to false and then attempts to read the Text node, it may either encounter a NullPointerException or unexpected content (if it expects resolved content).

      However, when ExpandEntityReferences is set to false, the application is arguably expecting no resolved Text node. Furthermore, since it can not expect to read the content properly (correctly) without resolving entity references, it may turn the feature off only when no entity references are anticipated in the XML documents. The purpose of turning off the feature therefore is more likely a precaution for security reason to avoid accidentally resolving any external references. For that reason, the risk of the incompatibility behavior is lessened.
      Show
      Changing the behavior will cause applications that rely on the old behavior to fail. Specifically, if an application set ExpandEntityReferences to false and then attempts to read the Text node, it may either encounter a NullPointerException or unexpected content (if it expects resolved content). However, when ExpandEntityReferences is set to false, the application is arguably expecting no resolved Text node. Furthermore, since it can not expect to read the content properly (correctly) without resolving entity references, it may turn the feature off only when no entity references are anticipated in the XML documents. The purpose of turning off the feature therefore is more likely a precaution for security reason to avoid accidentally resolving any external references. For that reason, the risk of the incompatibility behavior is lessened.
    • Interface Kind:
      Java API
    • Scope:
      JDK

      Description

      Summary

      Changing the JDK implementation of the DOM parser so that it will not produce a Text node when the ExpandEntityReferences feature is set to false.

      Problem

      By default, a DOM parser resolves entity references as defined. The ExpandEntityReferences feature provides an option for an application to disable such resolution when it is desirable, for example, if no entity reference is expected in normal operation, it may serve as a good precaution.

      When ExpandEntityReferences is turned off, the DOM parser is expected to add the EntityReference node to the DOM tree. The current implementation however, continues to resolve the EntityReference and add a Text node with expanded value in addition to the EntityReference node. That defeats the purpose of having the feature that is to allow disabling the resolution.

      This issue has a long history. The first report about it was JDK-4762733 that was filed in 2002 for JDK 1.4.1 and then more recently an internal report through JDK-8025660. Both were rejected as "Not an Issue". The reason was that the review was focused on the EntityReference node and the argument was that the parser was doing it correctly by including or excluding the node when setExpandEntityReferences is off or on. The evaluation neglected the fact that the Text node was the real issue, that it should not have been added.

      The above is also manifested in JAXP's SQE test where an assertion was made only for the EntityReference node and there was no further test on whether a Text node existed.

      Solution

      Change the behavior of the DOM parser to produce one and only EntityReference node without the expanded Text node when DocumentBuilderFactory.setExpandEntityReferences is set to false.

      The benefit of the change is that the DOM parser would then work as expected when an application intends to use the feature to avoid resolving any entity references.

      Specification

      No change.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joehw Joe Wang
                Reporter:
                webbuggrp Webbug Group
                Reviewed By:
                Daniel Fuchs, Lance Andersen
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: