[Bug 1026] Apps fail to run because of the nanoxml parser's strict XML validation

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Sun Jun 2 02:23:46 PDT 2013


Heiko <lil_tux at web.de> changed:

           What    |Removed                     |Added
                 CC|                            |lil_tux at web.de

--- Comment #5 from Heiko <lil_tux at web.de> ---
The problem are the ampersands in the href entity of the jnlp tag (and probably
in every other entity as well). Just try the following

1) OK:   <jnlp spec="1.0+" codebase="http://mydomain.com/play/"
2) OK:   <jnlp spec="1.0+" codebase="http://mydomain.com/play/"
3) FAIL: <jnlp spec="1.0+" codebase="http://mydomain.com/play/"
4) OK:   <jnlp spec="1.0+" codebase="http://mydomain.com/play/"

At a quick specification glance, the URL "should" be properly encoded, but it
hasn't to. And the client "must" use the URL as is, thus it probably should not
try to validate it and especially not try to find XML entities in the URL.

Anyway, net.sourceforge.nanoxml.XMLElement.scanString has the following code:

  } else if (ch == '&') {
  } else {

which on URL 3 tries to resolve "&par2" into an xml entity until it finds ';',
which it doesn't and thus throws an exception.

I'm not familiar with the code enough to come up with a proper solution, but
I'd say one should guard XMLElement.resolveEntity from being called for
attributes and especially from being called for attribute values.

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130602/3e5ab3dc/attachment.html 

More information about the distro-pkg-dev mailing list