Fix input validation in XMLTokener.unescapeEntity() by OwenSanzas · Pull Request #1038 · stleary/JSON-java

OwenSanzas · 2026-01-27T11:52:12Z

Fix StringIndexOutOfBoundsException and NumberFormatException in XMLTokener.unescapeEntity() when parsing malformed XML numeric character references.

Issues:

&#; (empty numeric reference) caused StringIndexOutOfBoundsException
&#txx; (invalid decimal) caused NumberFormatException
&#xGGG; (invalid hex) caused NumberFormatException

Changes:

Add length validation before accessing character positions
Add isValidHex() and isValidDecimal() helper methods
Throw proper JSONException with descriptive messages

Fixes #1035, Fixes #1036

Fix StringIndexOutOfBoundsException and NumberFormatException in XMLTokener.unescapeEntity() when parsing malformed XML numeric character references. Issues: - &#; (empty numeric reference) caused StringIndexOutOfBoundsException - &#txx; (invalid decimal) caused NumberFormatException - &#xGGG; (invalid hex) caused NumberFormatException Changes: - Add length validation before accessing character positions - Add isValidHex() and isValidDecimal() helper methods - Throw proper JSONException with descriptive messages Fixes stleary#1035, Fixes stleary#1036

stleary · 2026-01-27T18:32:07Z

Changes look good, but unescapeEntity() complexity is now too high: unescapeEntity()
Please refactor into separate methods.
Also, there are no new unit tests.
I can add the unit tests after commit, but the refactoring should be completed before committing the code. If you don't get a chance to do this in the next few days, I will take a local branch and do the refactor, but then you will lose authorship of the changes.

[stleary 1/28/2026] Issues fixed

stleary · 2026-01-27T18:36:27Z

What problem does this code solve?
Throws JSONException for errors occurring in XMLTokener unescapeEntity()

Does the code still compile with Java6?
Yes

Risks
Low

Changes to the API?
Type of exception thrown has changed.

Will this require a new release?
No

Should the documentation be updated?
No

Does it break the unit tests?
No, ~~but no unit tests were added~~ and new unit tests were added

Was any code refactored in this commit?
No

Review status
APPROVED ~~PENDING REQUESTED REFACTORING~~

Starting 3-day comment window

Extracted hex and decimal parsing logic into separate methods to address SonarQube complexity warning: - parseHexEntity(): handles ઼ format - parseDecimalEntity(): handles &stleary#123; format This reduces cyclomatic complexity while maintaining identical functionality and all validation checks.

Added comprehensive test coverage for numeric character reference parsing: Exception cases (should throw JSONException): - Empty numeric entity: &#; - Invalid decimal entity: &#txx; - Empty hex entity: &#x; - Invalid hex characters: &#xGGG; Valid cases (should parse correctly): - Decimal entity: &stleary#65; -> 'A' - Lowercase hex entity: A -> 'A' - Uppercase hex entity: &#X41; -> 'A' These tests verify the fixes for issues stleary#1035 and stleary#1036.

sonarqubecloud · 2026-01-28T09:59:14Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

OwenSanzas · 2026-01-28T10:05:02Z

Hey @stleary, all requested changes are complete. Could you please take a look?

After the refactoring:

PoCs for StringIndexOutOfBoundsException in XMLTokener.unescapeEntity due to Missing Length Check #1035 and NumberFormatException in XMLTokener.unescapeEntity due to Missing Input Validation #1036 are mitigated
All newly-added unit tests pass
All existing unit tests pass

stleary added Approved - 3-day window Code review action items labels Jan 27, 2026

OwenSanzas force-pushed the fix-xmltokener-unescapeentity branch from 2ec1d75 to 495474f Compare January 28, 2026 09:50

OwenSanzas force-pushed the fix-xmltokener-unescapeentity branch from 495474f to 6c1bfbc Compare January 28, 2026 09:52

stleary removed the Code review action items label Jan 28, 2026

stleary approved these changes Jan 30, 2026

View reviewed changes

stleary merged commit 538afc3 into stleary:master Jan 30, 2026
9 checks passed

stleary removed the Approved - 3-day window label Jan 30, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix input validation in XMLTokener.unescapeEntity()#1038

Fix input validation in XMLTokener.unescapeEntity()#1038
stleary merged 3 commits intostleary:masterfrom
OwenSanzas:fix-xmltokener-unescapeentity

OwenSanzas commented Jan 27, 2026

Uh oh!

stleary commented Jan 27, 2026 •

edited

Loading

Uh oh!

stleary commented Jan 27, 2026 •

edited

Loading

Uh oh!

sonarqubecloud bot commented Jan 28, 2026 •

edited

Loading

Uh oh!

OwenSanzas commented Jan 28, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

OwenSanzas commented Jan 27, 2026

Uh oh!

stleary commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

stleary commented Jan 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

sonarqubecloud bot commented Jan 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Quality Gate passed

Uh oh!

OwenSanzas commented Jan 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

stleary commented Jan 27, 2026 •

edited

Loading

stleary commented Jan 27, 2026 •

edited

Loading

sonarqubecloud bot commented Jan 28, 2026 •

edited

Loading

OwenSanzas commented Jan 28, 2026 •

edited

Loading