@xmldom/xmldom 0.9.0-beta.3 → 0.9.0-beta.5

package/CHANGELOG.md

@@ -4,6 +4,78 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.0-beta.5](https://github.com/xmldom/xmldom/compare/0.9.0-beta.4...0.9.0-beta.5)
+
+### Merged
+
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
+
+
+## [0.8.5](https://github.com/xmldom/xmldom/compare/0.8.4...0.8.5)
+
+### Merged
+
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
+
+
+## [0.7.8](https://github.com/xmldom/xmldom/compare/0.7.7...0.7.8)
+
+### Merged
+
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
+
+
+## [0.9.0-beta.4](https://github.com/xmldom/xmldom/compare/0.9.0-beta.3...0.9.0-beta.4)
+
+### Fixed
+
+- Security: Prevent inserting DOM nodes when they are not well-formed [`CVE-2022-39353`](https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883)
+  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like `<` and `>` are encoded accordingly.
+  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
+  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
+  Related Spec: <https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity>
+
+### Chore
+
+- update multiple devDependencies
+- Add eslint-plugin-node for `lib` [`#448`](https://github.com/xmldom/xmldom/pull/448) / [`#190`](https://github.com/xmldom/xmldom/issues/190)
+- style: Apply prettier to all code [`#447`](https://github.com/xmldom/xmldom/pull/447) / [`#29`](https://github.com/xmldom/xmldom/issues/29) / [`#130`](https://github.com/xmldom/xmldom/issues/130)
+
+Thank you, [@XhmikosR](https://github.com/XhmikosR), [@awwright](https://github.com/awwright), [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
+
+
+## [0.8.4](https://github.com/xmldom/xmldom/compare/0.8.3...0.8.4)
+
+### Fixed
+
+- Security: Prevent inserting DOM nodes when they are not well-formed [`CVE-2022-39353`](https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883)
+  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like `<` and `>` are encoded accordingly.
+  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
+  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
+  Related Spec: <https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity>
+
+Thank you, [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
+
+
+## [0.7.7](https://github.com/xmldom/xmldom/compare/0.7.6...0.7.7)
+
+### Fixed
+
+- Security: Prevent inserting DOM nodes when they are not well-formed [`CVE-2022-39353`](https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883)
+  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like `<` and `>` are encoded accordingly.
+  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
+  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
+  Related Spec: <https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity>
+
+Thank you, [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
+
+
 ## [0.9.0-beta.3](https://github.com/xmldom/xmldom/compare/0.9.0-beta.2...0.9.0-beta.3)
 
 ### Fixed

package/lib/.eslintrc.yml

@@ -1,2 +1,3 @@
 extends:
   - 'plugin:es5/no-es2015'
+  - 'plugin:node/recommended'

package/lib/conventions.js

@@ -1,4 +1,36 @@
-'use strict'
+'use strict';
+
+/**
+ * Ponyfill for `Array.prototype.find` which is only available in ES6 runtimes.
+ *
+ * Works with anything that has a `length` property and index access properties, including NodeList.
+ *
+ * @template {unknown} T
+ * @param {Array<T> | ({length:number, [number]: T})} list
+ * @param {function (item: T, index: number, list:Array<T> | ({length:number, [number]: T})):boolean} predicate
+ * @param {Partial<Pick<ArrayConstructor['prototype'], 'find'>>?} ac `Array.prototype` by default,
+ * 				allows injecting a custom implementation in tests
+ * @returns {T | undefined}
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/find
+ * @see https://tc39.es/ecma262/multipage/indexed-collections.html#sec-array.prototype.find
+ */
+function find(list, predicate, ac) {
+	if (ac === undefined) {
+		ac = Array.prototype;
+	}
+	if (list && typeof ac.find === 'function') {
+		return ac.find.call(list, predicate);
+	}
+	for (var i = 0; i < list.length; i++) {
+		if (Object.prototype.hasOwnProperty.call(list, i)) {
+			var item = list[i];
+			if (predicate.call(undefined, item, i, list)) {
+				return item;
+			}
+		}
+	}
+}
 
 /**
  * "Shallow freezes" an object to render it immutable.
@@ -17,9 +49,9 @@
  */
 function freeze(object, oc) {
 	if (oc === undefined) {
-		oc = Object
+		oc = Object;
 	}
-	return oc && typeof oc.freeze === 'function' ? oc.freeze(object) : object
+	return oc && typeof oc.freeze === 'function' ? oc.freeze(object) : object;
 }
 
 /**
@@ -37,14 +69,14 @@ function freeze(object, oc) {
  */
 function assign(target, source) {
 	if (target === null || typeof target !== 'object') {
-		throw new TypeError('target is not an object')
+		throw new TypeError('target is not an object');
 	}
 	for (var key in source) {
 		if (Object.prototype.hasOwnProperty.call(source, key)) {
-			target[key] = source[key]
+			target[key] = source[key];
 		}
 	}
-	return target
+	return target;
 }
 
 /**
@@ -87,7 +119,7 @@ var HTML_BOOLEAN_ATTRIBUTES = freeze({
 	required: true,
 	reversed: true,
 	selected: true,
-})
+});
 
 /**
  * Check if `name` is matching one of the HTML boolean attribute names.
@@ -100,7 +132,7 @@ var HTML_BOOLEAN_ATTRIBUTES = freeze({
  * @see https://html.spec.whatwg.org/#attributes-3
  */
 function isHTMLBooleanAttribute(name) {
-	return HTML_BOOLEAN_ATTRIBUTES.hasOwnProperty(name.toLowerCase())
+	return HTML_BOOLEAN_ATTRIBUTES.hasOwnProperty(name.toLowerCase());
 }
 
 /**
@@ -131,7 +163,7 @@ var HTML_VOID_ELEMENTS = freeze({
 	source: true,
 	track: true,
 	wbr: true,
-})
+});
 
 /**
  * Check if `tagName` is matching one of the HTML void element names.
@@ -144,7 +176,7 @@ var HTML_VOID_ELEMENTS = freeze({
  * @see https://html.spec.whatwg.org/#void-elements
  */
 function isHTMLVoidElement(tagName) {
-	return HTML_VOID_ELEMENTS.hasOwnProperty(tagName.toLowerCase())
+	return HTML_VOID_ELEMENTS.hasOwnProperty(tagName.toLowerCase());
 }
 
 /**
@@ -161,7 +193,7 @@ var HTML_RAW_TEXT_ELEMENTS = freeze({
 	style: false,
 	textarea: true,
 	title: true,
-})
+});
 
 /**
  * Check if `tagName` is matching one of the HTML raw text element names.
@@ -227,7 +259,7 @@ var MIME_TYPE = freeze({
 	 * @see [`DOMParser.parseFromString` @ HTML Specification](https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#dom-domparser-parsefromstring)
 	 */
 	isHTML: function (value) {
-		return value === MIME_TYPE.HTML
+		return value === MIME_TYPE.HTML;
 	},
 
 	/**
@@ -242,9 +274,7 @@ var MIME_TYPE = freeze({
 	 * @see https://dom.spec.whatwg.org/#dom-domimplementation-createhtmldocument
 	 */
 	hasDefaultHTMLNamespace: function (mimeType) {
-		return (
-			MIME_TYPE.isHTML(mimeType) || mimeType === MIME_TYPE.XML_XHTML_APPLICATION
-		)
+		return MIME_TYPE.isHTML(mimeType) || mimeType === MIME_TYPE.XML_XHTML_APPLICATION;
 	},
 
 	/**
@@ -283,7 +313,7 @@ var MIME_TYPE = freeze({
 	 * @see https://en.wikipedia.org/wiki/Scalable_Vector_Graphics Wikipedia
 	 */
 	XML_SVG_IMAGE: 'image/svg+xml',
-})
+});
 
 /**
  * Namespaces that are used in this code base.
@@ -306,7 +336,7 @@ var NAMESPACE = freeze({
 	 * @see NAMESPACE.HTML
 	 */
 	isHTML: function (uri) {
-		return uri === NAMESPACE.HTML
+		return uri === NAMESPACE.HTML;
 	},
 
 	/**
@@ -329,16 +359,17 @@ var NAMESPACE = freeze({
 	 * @see https://www.w3.org/2000/xmlns/
 	 */
 	XMLNS: 'http://www.w3.org/2000/xmlns/',
-})
+});
 
-exports.assign = assign
-exports.freeze = freeze
-exports.HTML_BOOLEAN_ATTRIBUTES = HTML_BOOLEAN_ATTRIBUTES
-exports.HTML_RAW_TEXT_ELEMENTS = HTML_RAW_TEXT_ELEMENTS
-exports.HTML_VOID_ELEMENTS = HTML_VOID_ELEMENTS
-exports.isHTMLBooleanAttribute = isHTMLBooleanAttribute
-exports.isHTMLRawTextElement = isHTMLRawTextElement
-exports.isHTMLEscapableRawTextElement = isHTMLEscapableRawTextElement
-exports.isHTMLVoidElement = isHTMLVoidElement
-exports.MIME_TYPE = MIME_TYPE
-exports.NAMESPACE = NAMESPACE
+exports.assign = assign;
+exports.find = find;
+exports.freeze = freeze;
+exports.HTML_BOOLEAN_ATTRIBUTES = HTML_BOOLEAN_ATTRIBUTES;
+exports.HTML_RAW_TEXT_ELEMENTS = HTML_RAW_TEXT_ELEMENTS;
+exports.HTML_VOID_ELEMENTS = HTML_VOID_ELEMENTS;
+exports.isHTMLBooleanAttribute = isHTMLBooleanAttribute;
+exports.isHTMLRawTextElement = isHTMLRawTextElement;
+exports.isHTMLEscapableRawTextElement = isHTMLEscapableRawTextElement;
+exports.isHTMLVoidElement = isHTMLVoidElement;
+exports.MIME_TYPE = MIME_TYPE;
+exports.NAMESPACE = NAMESPACE;