Summary

Adjust JAXP's XML Processing Limits (JAXP Limits) to be more in line with general usage.

Problem

JAXP limits are a set of JDK implementation specific properties as list in the java.xml module description, for example jdk.xml.entityExpansionLimit. These limits were designed to prevent applications from consuming excessive resource or memory. They were provided for developers to set processing limits based on application requirements and system configurations. In a similar context, the JDK itself should also adjust the default settings to be more in line with general usage.

Solution

Adjust JAXP limits to fit general application needs based on known public entities such as W3C MathML DTDs.

These changes will affect parsing XML documents that contains Document Type Definitions (DTDs) using JAXP APIs such as the DOM, SAX and StAX parsers. They indirectly affect the Transform and Validation APIs that use these processors.

Compatibility and Solutions

If an application processes XML documents for referencing an extremely large DTD, it may encounter a parsing error in the form of an Exception, such as the follows:

JAXP00010001: The parser has encountered more than "2500" entity expansions in this document; 
this is the limit imposed by the JDK.

To resolve the issue, application may increase the limit via the JAXP API. Using DOM processor as an example, the following code increases the expansion limit to 5000:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setAttribute("jdk.xml.entityExpansionLimit", 5000);

Or in the JAXP Configuration File. A template for creating Strict JAXP Configuration File, jaxp-strict.properties.template, was provided in JDK 23 for developers to assess and prepare their applications for the changes such as this.

To set the property in the configuration file, copy the template and create a custom configuration file:

cp $JAVA_HOME/conf/jaxp-strict.properties.template. /<my_path>/jaxp-strict.properties  

Edit and change the setting as follows:

jdk.xml.entityExpansionLimit=5000

As a system property, this property can also be set on the commandline, e.g.:

java -Djdk.xml.entityExpansionLimit=5000 myApp 

The Java tutorial, JAXP Processing Limits, provides a debug solution that can be used to analyze the usages and estimate the limits.

Specification

Update the java.xml module description, table Implementation Specific Properties:

    Name                                 Value (default)

- jdk.xml.entityExpansionLimit             64000
+ jdk.xml.entityExpansionLimit              2500


- jdk.xml.totalEntitySizeLimit          50000000
+ jdk.xml.totalEntitySizeLimit            100000

- jdk.xml.maxGeneralEntitySizeLimit            0
+ jdk.xml.maxGeneralEntitySizeLimit       100000

- jdk.xml.maxParameterEntitySizeLimit    1000000
+ jdk.xml.maxParameterEntitySizeLimit      15000

- jdk.xml.entityReplacementLimit         3000000
+ jdk.xml.entityReplacementLimit          100000

- jdk.xml.maxElementDepth                      0
+ jdk.xml.maxElementDepth                    100

- jdk.xml.elementAttributeLimit           10,000
+ jdk.xml.elementAttributeLimit              200