XMLEncode.xmlEncodeTextAsPCDATA() passes characters in the range U+0000-U+001F (excluding U+0009 TAB, U+000A LF, U+000D CR) through unencoded in the default branch of its switch statement. These characters are illegal in XML 1.0 and will cause XML parsers to reject the output.
The default case at line 112 just does n.append(c) — it should instead encode these characters as &#xHH; numeric character references. The explicitly handled cases (&, <, >, ", ', \r, \n) cover the legal control chars, but \0, \1-\b, \v, \f, \u000E-\u001F all slip through.
This affects both attribute values (via PrettyPrintXMLWriter.addAttribute()) and text content (via PrettyPrintXMLWriter.writeText()).
Fix: add a check in the default case to encode illegal XML control characters.
XMLEncode.xmlEncodeTextAsPCDATA()passes characters in the range U+0000-U+001F (excluding U+0009 TAB, U+000A LF, U+000D CR) through unencoded in thedefaultbranch of its switch statement. These characters are illegal in XML 1.0 and will cause XML parsers to reject the output.The
defaultcase at line 112 just doesn.append(c)— it should instead encode these characters as&#xHH;numeric character references. The explicitly handled cases (&,<,>,",',\r,\n) cover the legal control chars, but\0,\1-\b,\v,\f,\u000E-\u001Fall slip through.This affects both attribute values (via
PrettyPrintXMLWriter.addAttribute()) and text content (viaPrettyPrintXMLWriter.writeText()).Fix: add a check in the
defaultcase to encode illegal XML control characters.