@xmldom/xmldom 0.8.10 → 0.8.12

package/CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.12](https://github.com/xmldom/xmldom/compare/0.8.11...0.8.12)
+
+### Fixed
+
+- Security: `createCDATASection` now throws `InvalidCharacterError` when `data` contains `"]]>"`, as required by the [WHATWG DOM spec](https://dom.spec.whatwg.org/#dom-document-createcdatasection). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+- Security: `XMLSerializer` now splits CDATASection nodes whose data contains `"]]>"` into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (`appendData`, `replaceData`, `.data =`, `.textContent =`). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+
+Code that passes a string containing `"]]>"` to `createCDATASection` and relied on the previously unsafe behavior will now receive `InvalidCharacterError`. Use a mutation method such as `appendData` if you intentionally need `"]]>"` in a CDATASection node's data.
+
+Thank you, [@thesmartshadow](https://github.com/thesmartshadow), for your contributions
+
+## [0.8.11](https://github.com/xmldom/xmldom/compare/0.8.10...0.8.11)
+
+### Fixed
+
+- update `ownerDocument` when moving nodes between documents [`#933`](https://github.com/xmldom/xmldom/pull/933) / [`#932`](https://github.com/xmldom/xmldom/issues/932)
+
+Thank you, [@shunkica](https://github.com/shunkica), for your contributions
+
+
 ## [0.8.10](https://github.com/xmldom/xmldom/compare/0.8.9...0.8.10)
 
 ### Fixed

package/index.d.ts

@@ -23,6 +23,16 @@ declare module "@xmldom/xmldom" {
   }
 
   interface XMLSerializer {
+      /**
+       * Returns the result of serializing `node` to XML.
+       *
+       * __This implementation differs from the specification:__
+       * - CDATASection nodes whose data contains `]]>` are serialized by splitting the section
+       *   at each `]]>` occurrence (following W3C DOM Level 3 Core `split-cdata-sections`
+       *   default behaviour). A configurable option is not yet implemented.
+       *
+       * @see https://html.spec.whatwg.org/#dom-xmlserializer-serializetostring
+       */
       serializeToString(node: Node): string;
   }
 

package/lib/dom.js

@@ -980,6 +980,9 @@ function _insertBefore(parent, node, child, _inDocumentAssertion) {
 	}
 	do{
 		newFirst.parentNode = parent;
+		// Update ownerDocument for each node being inserted
+		var targetDoc = parent.ownerDocument || parent;
+		_updateOwnerDocument(newFirst, targetDoc);
 	}while(newFirst !== newLast && (newFirst= newFirst.nextSibling))
 	_onUpdateChild(parent.ownerDocument||parent, parent);
 	//console.log(parent.lastChild.nextSibling == null)
@@ -989,6 +992,37 @@ function _insertBefore(parent, node, child, _inDocumentAssertion) {
 	return node;
 }
 
+/**
+ * Recursively updates the ownerDocument property for a node and all its descendants
+ * @param {Node} node
+ * @param {Document} newOwnerDocument
+ * @private
+ */
+function _updateOwnerDocument(node, newOwnerDocument) {
+	if (node.ownerDocument === newOwnerDocument) {
+		return;
+	}
+	
+	node.ownerDocument = newOwnerDocument;
+	
+	// Update attributes if this is an element
+	if (node.nodeType === ELEMENT_NODE && node.attributes) {
+		for (var i = 0; i < node.attributes.length; i++) {
+			var attr = node.attributes.item(i);
+			if (attr) {
+				attr.ownerDocument = newOwnerDocument;
+			}
+		}
+	}
+	
+	// Recursively update child nodes
+	var child = node.firstChild;
+	while (child) {
+		_updateOwnerDocument(child, newOwnerDocument);
+		child = child.nextSibling;
+	}
+}
+
 /**
  * Appends `newChild` to `parentNode`.
  * If `newChild` is already connected to a `parentNode` it is first removed from it.
@@ -1014,6 +1048,11 @@ function _appendSingleChild (parentNode, newChild) {
 	}
 	parentNode.lastChild = newChild;
 	_onUpdateChild(parentNode.ownerDocument, parentNode, newChild);
+	
+	// Update ownerDocument for the new child and all its descendants
+	var targetDoc = parentNode.ownerDocument || parentNode;
+	_updateOwnerDocument(newChild, targetDoc);
+	
 	return newChild;
 }
 
@@ -1042,7 +1081,7 @@ Document.prototype = {
 			return newChild;
 		}
 		_insertBefore(this, newChild, refChild);
-		newChild.ownerDocument = this;
+		_updateOwnerDocument(newChild, this);
 		if (this.documentElement === null && newChild.nodeType === ELEMENT_NODE) {
 			this.documentElement = newChild;
 		}
@@ -1058,7 +1097,7 @@ Document.prototype = {
 	replaceChild: function (newChild, oldChild) {
 		//raises
 		_insertBefore(this, newChild, oldChild, assertPreReplacementValidityInDocument);
-		newChild.ownerDocument = this;
+		_updateOwnerDocument(newChild, this);
 		if (oldChild) {
 			this.removeChild(oldChild);
 		}
@@ -1158,7 +1197,22 @@ Document.prototype = {
 		node.appendData(data)
 		return node;
 	},
+	/**
+	 * Returns a new CDATASection node whose data is `data`.
+	 *
+	 * __This implementation differs from the specification:__
+	 * - calling this method on an HTML document does not throw `NotSupportedError`.
+	 *
+	 * @param {string} data
+	 * @returns {CDATASection}
+	 * @throws DOMException with code `INVALID_CHARACTER_ERR` if `data` contains `"]]>"`.
+	 * @see https://developer.mozilla.org/en-US/docs/Web/API/Document/createCDATASection
+	 * @see https://dom.spec.whatwg.org/#dom-document-createcdatasection
+	 */
 	createCDATASection :	function(data){
+		if (data.indexOf(']]>') !== -1) {
+			throw new DOMException(INVALID_CHARACTER_ERR, 'data contains "]]>"');
+		}
 		var node = new CDATASection();
 		node.ownerDocument = this;
 		node.appendData(data)
@@ -1427,6 +1481,20 @@ function ProcessingInstruction() {
 ProcessingInstruction.prototype.nodeType = PROCESSING_INSTRUCTION_NODE;
 _extends(ProcessingInstruction,Node);
 function XMLSerializer(){}
+/**
+ * Returns the result of serializing `node` to XML.
+ *
+ * __This implementation differs from the specification:__
+ * - CDATASection nodes whose data contains `]]>` are serialized by splitting the section
+ *   at each `]]>` occurrence (following W3C DOM Level 3 Core `split-cdata-sections`
+ *   default behaviour). A configurable option is not yet implemented.
+ *
+ * @param {Node} node
+ * @param {boolean} [isHtml]
+ * @param {function} [nodeFilter]
+ * @returns {string}
+ * @see https://html.spec.whatwg.org/#dom-xmlserializer-serializetostring
+ */
 XMLSerializer.prototype.serializeToString = function(node,isHtml,nodeFilter){
 	return nodeSerializeToString.call(node,isHtml,nodeFilter);
 }
@@ -1645,7 +1713,7 @@ function serializeToString(node,buf,isHTML,nodeFilter,visibleNamespaces){
 			.replace(/[<&>]/g,_xmlEncoder)
 		);
 	case CDATA_SECTION_NODE:
-		return buf.push( '<![CDATA[',node.data,']]>');
+		return buf.push('<![CDATA[', node.data.replace(/]]>/g, ']]]]><![CDATA[>'), ']]>');
 	case COMMENT_NODE:
 		return buf.push( "<!--",node.data,"-->");
 	case DOCUMENT_TYPE_NODE:

package/lib/sax.js

@@ -597,7 +597,7 @@ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
 function parseInstruction(source,start,domBuilder){
 	var end = source.indexOf('?>',start);
 	if(end){
-		var match = source.substring(start,end).match(/^<\?(\S*)\s*([\s\S]*?)\s*$/);
+		var match = source.substring(start,end).match(/^<\?(\S*)\s*([\s\S]*?)$/);
 		if(match){
 			var len = match[0].length;
 			domBuilder.processingInstruction(match[1], match[2]) ;

package/package.json

@@ -1,71 +1,72 @@
 {
-  "name": "@xmldom/xmldom",
-  "version": "0.8.10",
-  "description": "A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.",
-  "keywords": [
-    "w3c",
-    "dom",
-    "xml",
-    "parser",
-    "javascript",
-    "DOMParser",
-    "XMLSerializer",
-    "ponyfill"
-  ],
-  "homepage": "https://github.com/xmldom/xmldom",
-  "repository": {
-    "type": "git",
-    "url": "git://github.com/xmldom/xmldom.git"
-  },
-  "main": "lib/index.js",
-  "types": "index.d.ts",
-  "files": [
-    "CHANGELOG.md",
-    "LICENSE",
-    "readme.md",
-    "SECURITY.md",
-    "index.d.ts",
-    "lib"
-  ],
-  "scripts": {
-    "lint": "eslint lib test",
-    "format": "prettier --write test",
-    "changelog": "auto-changelog --unreleased-only",
-    "start": "nodemon --watch package.json --watch lib --watch test --exec 'npm --silent run test && npm --silent run lint'",
-    "stryker": "stryker run",
-    "stryker:dry-run": "stryker run -m '' --reporters progress",
-    "test": "jest",
-    "testrelease": "npm test && eslint lib",
-    "version": "./changelog-has-version.sh",
-    "release": "np --no-yarn --test-script testrelease --branch release-0.8.x patch"
-  },
-  "engines": {
-    "node": ">=10.0.0"
-  },
-  "dependencies": {},
-  "devDependencies": {
-    "@stryker-mutator/core": "5.6.1",
-    "auto-changelog": "2.4.0",
-    "eslint": "8.25.0",
-    "eslint-config-prettier": "8.5.0",
-    "eslint-plugin-es5": "1.5.0",
-    "eslint-plugin-prettier": "4.2.1",
-    "get-stream": "6.0.1",
-    "jest": "27.5.1",
-    "nodemon": "2.0.20",
-    "np": "7.6.2",
-    "prettier": "2.7.1",
-    "xmltest": "1.5.0",
-    "yauzl": "2.10.0"
-  },
-  "bugs": {
-    "url": "https://github.com/xmldom/xmldom/issues"
-  },
-  "license": "MIT",
-  "auto-changelog": {
-    "prepend": true,
-    "remote": "upstream",
-    "tagPrefix": "",
-    "template": "./auto-changelog.hbs"
-  }
+	"name": "@xmldom/xmldom",
+	"version": "0.8.12",
+	"description": "A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.",
+	"keywords": [
+		"w3c",
+		"dom",
+		"xml",
+		"parser",
+		"javascript",
+		"DOMParser",
+		"XMLSerializer",
+		"ponyfill"
+	],
+	"homepage": "https://github.com/xmldom/xmldom",
+	"repository": {
+		"type": "git",
+		"url": "git://github.com/xmldom/xmldom.git"
+	},
+	"main": "lib/index.js",
+	"types": "index.d.ts",
+	"files": [
+		"CHANGELOG.md",
+		"LICENSE",
+		"readme.md",
+		"SECURITY.md",
+		"index.d.ts",
+		"lib"
+	],
+	"scripts": {
+		"lint": "eslint lib test",
+		"format": "prettier --write test",
+		"format:check": "prettier --check test",
+		"changelog": "auto-changelog --unreleased-only",
+		"start": "nodemon --watch package.json --watch lib --watch test --exec 'npm --silent run test && npm --silent run lint'",
+		"stryker": "stryker run",
+		"stryker:dry-run": "stryker run -m '' --reporters progress",
+		"test": "jest",
+		"testrelease": "npm test && eslint lib",
+		"version": "./changelog-has-version.sh",
+		"release": "np --no-yarn --test-script testrelease --branch release-0.8.x patch"
+	},
+	"engines": {
+		"node": ">=10.0.0"
+	},
+	"dependencies": {},
+	"devDependencies": {
+		"@stryker-mutator/core": "5.6.1",
+		"auto-changelog": "2.4.0",
+		"eslint": "8.25.0",
+		"eslint-config-prettier": "8.5.0",
+		"eslint-plugin-es5": "1.5.0",
+		"eslint-plugin-prettier": "4.2.1",
+		"get-stream": "6.0.1",
+		"jest": "27.5.1",
+		"nodemon": "2.0.20",
+		"np": "9.2.0",
+		"prettier": "2.7.1",
+		"xmltest": "1.5.0",
+		"yauzl": "2.10.0"
+	},
+	"bugs": {
+		"url": "https://github.com/xmldom/xmldom/issues"
+	},
+	"license": "MIT",
+	"auto-changelog": {
+		"prepend": true,
+		"remote": "upstream",
+		"tagPrefix": "",
+		"template": "./auto-changelog.hbs"
+	}
 }