JDK-6438917 : JNLP parser accepts illegal XML in comments
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 6
  • Priority: P4
  • Status: Resolved
  • Resolution: Other
  • OS: solaris_2.5.1
  • CPU: sparc
  • Submitted: 2006-06-15
  • Updated: 2015-02-10
  • Resolved: 2015-02-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
8u20Fixed 9Fixed
If a JNLP file contains a comment with a double hyphen between the beginning ("<!--") and end ("-->") delimeters of the comment, the XML parser will accept the file and skip over the entire comment. However, according to the XML standard this is incorrect:


Specifically, the sentence "For compatibility, the string "--" (double-hyphen) MUST NOT occur within comments..." applies here. On the Mac this is a problem because we use the OS call CFXMLTreeCreateFromDataWithError when building a bundled application from the JNLP file, and it fails to parse the file because of the illegal comment in the file.

This was reported by a developer as a bug on Mac OS X's Java because 'it works on other platforms', but the root problem is incorrect behavior in the shared code (see com.sun.deploy.xml.XMLParser.skipXMLComment())

Removing incorrect multiple values in fixVersions.

Changeset: http://closedjdk.us.oracle.com/jdk9/client/deploy/rev/7c8d13b4af2b Reviewed-by: herrick, dcherepanov

EVALUATION There is really no problem here. Although javawebstart should report an error if these illegal characters are used in a jnlp file, there are no adverse effects to not reporting such an error. the licensee does the correct thing, and reports the error. we should in the future.

WORK AROUND Workaround is 'don't do that', as it is in the developer's control to fix this.