Question regarding "Entity Expansion in JAXB", "-DentityExpansionLimit" and "8017298: Better XML support"

Volker Simonis volker.simonis at
Thu Nov 7 17:33:52 UTC 2013


I have a question related to change "8017298: Better XML support"
which went into the last security update. Because it was considered a
security fix, there's not much information available (i.e. no webrev,
no bug description, no discussion on the public mailing lists).

As far as I can see, the "entityExpansionLimit" for JAXB has been
there since Java 5 and according to Blaise Doughan blog at
it should have been enabled by default together with the

Now we have a customer who claims that after upgrading to 7u45 he gets
an execption because of too many entity expansions. The customer
explicitly sets "-DentityExpansionLimit=1".

For us it seems as if before change "8017298: Better XML support"
there must have been places in the libraries which ignored the
"entityExpansionLimit" setting even if this was explicitly specified
by the user. Can somebody confirm this assumption or is our customer
facing another problem?

Thank you and best regards,

More information about the core-libs-dev mailing list