JDK-8359432 : Unable to parse well-formed XML with escaped entities
  • Type: Bug
  • Component: xml
  • Sub-Component: jaxp
  • Affected Version: 8,25
  • Priority: P4
  • Status: Open
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2025-06-13
  • Updated: 2025-07-14
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbdUnresolved
Related Reports
Relates :  
JDK-8343004 - Adjust JAXP limits
Description
ADDITIONAL SYSTEM INFORMATION :
Get the issue with Windows 11, JDK 21 and JDK 24.

A DESCRIPTION OF THE PROBLEM :
Unable to parse well-formed XML with escaped entities
With https://bugs.openjdk.org/browse/JDK-8343004 the jdk.xml.maxGeneralEntitySizeLimit was set from unlimited to 100000 in JDK 24. That's why the problem is exposed until now.
When parsing a well-formed XML with SAXParser and jdk.xml.maxGeneralEntitySizeLimit=2, the parser throws JAXP00010003, claiming entity "[xml]" has a size of "3" bytes, exceeding the "2" limit. The XML contains escaped entities (&, <, >), and no "[xml]" entity is defined, making the error message unclear. This may indicate a bug in SAXParser’s entity handling or error reporting under strict limits. My XML is:

<?xml version="1.0" encoding="UTF-8"?>
<root>
	<Description>Depn prov - f &amp; f &lt; f &gt; f</Description>
</root>

When using JDK 24 with the default jdk.xml.maxGeneralEntitySizeLimit (100,000), I encounter an error parsing an XML containing escaped entities (e.g., &, <, >) if the entity content exceeds 100,000.
The same problem exists in JDK 21, but it is hidden because maxGeneralEntitySizeLimit=0 by default.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the Test Case code to reproduce the issue with JDK 21 and 24.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
It should run successfully with no error.
ACTUAL -
Get error:
[Fatal Error] :3:48: JAXP00010003: The length of entity "[xml]" is "3" that exceeds the "2" limit set by "jdk.xml.maxGeneralEntitySizeLimit".
Exception in thread "main" org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 48; JAXP00010003: The length of entity "[xml]" is "3" that exceeds the "2" limit set by "jdk.xml.maxGeneralEntitySizeLimit".
	at java.xml/com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1252)
	at java.xml/com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
	at com.bgu.lang.xml.SAXSimpleTest_SUN_14640.testSAXParse(SAXSimpleTest_SUN_14640.java:72)
	at com.bgu.lang.xml.SAXSimpleTest_SUN_14640.main(SAXSimpleTest_SUN_14640.java:54)

---------- BEGIN SOURCE ----------
import java.io.StringReader;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.InputSource;
import org.xml.sax.XMLReader;
public class SAXSimpleTest_SUN_14640  {
	public static void main(final String[] args) throws Exception {
		System.setProperty("jdk.xml.maxGeneralEntitySizeLimit", "2");
		// @formatter:off
		xmlString = """
<?xml version="1.0" encoding="UTF-8"?>
<root>
	<Description>Depn prov - f &amp; f &lt; f &gt; f</Description>
</root>
				""";
		// @formatter:on
		testSAXParse(xmlString);
	}

	private static void testSAXParse(final String xmlString) throws Exception {
		SAXParserFactory spf = SAXParserFactory.newInstance();
		spf.setNamespaceAware(true);
		SAXParser saxParser = spf.newSAXParser();
		XMLReader reader = saxParser.getXMLReader();
		reader.parse(new InputSource(new StringReader(xmlString)));
	}
}
---------- END SOURCE ----------
Comments
Additional Information from submitter: =================================== This issue can easily be a blocker when a big payload is XML encoded within another XML node. For example, the following soap envelope has an embedded XML payload: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header/> <soapenv:Body> <web:ExecuteRequest> <web:payload> &lt;SSC&gt; &lt;User&gt; &lt;Name&gt;PK1&lt;/Name&gt; &lt;/User&gt; &lt;Payload&gt; ... ... &lt;/Payload&gt; &lt;/SSC&gt; </web:payload> </web:ExecuteRequest> </soapenv:Body> </soapenv:Envelope> The count of &lt; and &gt; can be greater than 100000 if the payload is big. Then the XML parsing will fail. PS: Using CDATA instead of XML encoding is a workaround. But for some products, the client side is not in our control and we cannot ask users to use CDATA.
14-07-2025
Impact -> M (Somewhere in-between the extremes) Likelihood -> L (Unusual uses) Workaround -> M (Somewhere in-between the extremes) Priority -> P4
13-06-2025
The observations on Windows 11: JDK 8: Failed, error observed. JDK 25ea+22: Failed.
13-06-2025