When using "Portalised Tool State" URLs as described in "URLs Within Sakai" (http://confluence.sakaiproject.org/display/SAKDEV/URLs+within+Sakai) a tool URL with multiple CGI parameters will cause an NPE during render. This is because the IFrameToolRenderService class does not escape the '&' characters which separate CGI parameters when it builds the iframe element that represents the tool. This results in malformed XML. The '&' symbol is used to identify entities in XML, so the CGI parameters look like unterminated entities causing parse errors.
For example, a URL like:
This will cause the parser to interpret parameter2 as an unterminated entity. This is particularly a problem in xsltcharon (xsl-portal) because the iframe entity is subsequently processed by XmlUtils.readDocumentFromString(...) which catches the parse exception, logs it, and returns null. Calling code will subsequently NPE if it does not check for null.