npm - @xmldom/xmldom - Versions diffs - 0.9.0-beta.4 → 0.9.0-beta.5 - Mend

@xmldom/xmldom 0.9.0-beta.4 → 0.9.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,33 @@ All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.9.0-beta.5](https://github.com/xmldom/xmldom/compare/0.9.0-beta.4...0.9.0-beta.5)
+### Merged
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
+## [0.8.5](https://github.com/xmldom/xmldom/compare/0.8.4...0.8.5)
+### Merged
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
+## [0.7.8](https://github.com/xmldom/xmldom/compare/0.7.7...0.7.8)
+### Merged
+- fix: Restore ES5 compatibility [`#452`](https://github.com/xmldom/xmldom/pull/452) / [`#453`](https://github.com/xmldom/xmldom/issues/453)
+Thank you, [@fengxinming](https://github.com/fengxinming), for your contributions
 ## [0.9.0-beta.4](https://github.com/xmldom/xmldom/compare/0.9.0-beta.3...0.9.0-beta.4)
 ### Fixed
@@ -22,6 +49,33 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 Thank you, [@XhmikosR](https://github.com/XhmikosR), [@awwright](https://github.com/awwright), [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
+## [0.8.4](https://github.com/xmldom/xmldom/compare/0.8.3...0.8.4)
+### Fixed
+- Security: Prevent inserting DOM nodes when they are not well-formed [`CVE-2022-39353`](https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883)
+  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like `<` and `>` are encoded accordingly.
+  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
+  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
+  Related Spec: <https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity>
+Thank you, [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
+## [0.7.7](https://github.com/xmldom/xmldom/compare/0.7.6...0.7.7)
+### Fixed
+- Security: Prevent inserting DOM nodes when they are not well-formed [`CVE-2022-39353`](https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883)
+  In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like `<` and `>` are encoded accordingly.
+  In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead.
+  This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior.
+  Related Spec: <https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity>
+Thank you, [@frumioj](https://github.com/frumioj), [@cjbarth](https://github.com/cjbarth), [@markgollnick](https://github.com/markgollnick) for your contributions
 ## [0.9.0-beta.3](https://github.com/xmldom/xmldom/compare/0.9.0-beta.2...0.9.0-beta.3)
 ### Fixed

package/lib/conventions.js CHANGED Viewed

@@ -1,5 +1,37 @@
 'use strict';
+/**
+ * Ponyfill for `Array.prototype.find` which is only available in ES6 runtimes.
+ *
+ * Works with anything that has a `length` property and index access properties, including NodeList.
+ *
+ * @template {unknown} T
+ * @param {Array<T> | ({length:number, [number]: T})} list
+ * @param {function (item: T, index: number, list:Array<T> | ({length:number, [number]: T})):boolean} predicate
+ * @param {Partial<Pick<ArrayConstructor['prototype'], 'find'>>?} ac `Array.prototype` by default,
+ * 				allows injecting a custom implementation in tests
+ * @returns {T | undefined}
+ *
+ * @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/find
+ * @see https://tc39.es/ecma262/multipage/indexed-collections.html#sec-array.prototype.find
+ */
+function find(list, predicate, ac) {
+	if (ac === undefined) {
+		ac = Array.prototype;
+	}
+	if (list && typeof ac.find === 'function') {
+		return ac.find.call(list, predicate);
+	}
+	for (var i = 0; i < list.length; i++) {
+		if (Object.prototype.hasOwnProperty.call(list, i)) {
+			var item = list[i];
+			if (predicate.call(undefined, item, i, list)) {
+				return item;
+			}
+		}
+	}
+}
 /**
  * "Shallow freezes" an object to render it immutable.
  * Uses `Object.freeze` if available,
@@ -330,6 +362,7 @@ var NAMESPACE = freeze({
 });
 exports.assign = assign;
+exports.find = find;
 exports.freeze = freeze;
 exports.HTML_BOOLEAN_ATTRIBUTES = HTML_BOOLEAN_ATTRIBUTES;
 exports.HTML_RAW_TEXT_ELEMENTS = HTML_RAW_TEXT_ELEMENTS;

package/lib/dom.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict';
 var conventions = require('./conventions');
+var find = conventions.find;
 var isHTMLRawTextElement = conventions.isHTMLRawTextElement;
 var isHTMLVoidElement = conventions.isHTMLVoidElement;
 var MIME_TYPE = conventions.MIME_TYPE;
@@ -180,14 +181,6 @@ NodeList.prototype = {
 		}
 		return buf.join('');
 	},
-	/**
-	 * @private
-	 * @param {function (Node):boolean} predicate
-	 * @returns {Node | undefined}
-	 */
-	find: function (predicate) {
-		return Array.prototype.find.call(this, predicate);
-	},
 	/**
 	 * @private
 	 * @param {function (Node):boolean} predicate
@@ -832,10 +825,10 @@ function isTextNode(node) {
  */
 function isElementInsertionPossible(doc, child) {
 	var parentChildNodes = doc.childNodes || [];
-	if (parentChildNodes.find(isElementNode) || isDocTypeNode(child)) {
+	if (find(parentChildNodes, isElementNode) || isDocTypeNode(child)) {
 		return false;
 	}
-	var docTypeNode = parentChildNodes.find(isDocTypeNode);
+	var docTypeNode = find(parentChildNodes, isDocTypeNode);
 	return !(child && docTypeNode && parentChildNodes.indexOf(docTypeNode) > parentChildNodes.indexOf(child));
 }
 /**
@@ -870,8 +863,8 @@ function _insertBefore(parent, node, child) {
 	var nodeChildNodes = node.childNodes || [];
 	if (parent.nodeType === Node.DOCUMENT_NODE) {
 		if (node.nodeType === Node.DOCUMENT_FRAGMENT_NODE) {
-			let nodeChildElements = nodeChildNodes.filter(isElementNode);
-			if (nodeChildElements.length > 1 || nodeChildNodes.find(isTextNode)) {
+			var nodeChildElements = nodeChildNodes.filter(isElementNode);
+			if (nodeChildElements.length > 1 || find(nodeChildNodes, isTextNode)) {
 				throw new DOMException(HIERARCHY_REQUEST_ERR, 'More than one element or text in fragment');
 			}
 			if (nodeChildElements.length === 1 && !isElementInsertionPossible(parent, child)) {
@@ -879,15 +872,15 @@ function _insertBefore(parent, node, child) {
 			}
 		}
 		if (isElementNode(node)) {
-			if (parentChildNodes.find(isElementNode) || !isElementInsertionPossible(parent, child)) {
+			if (find(parentChildNodes, isElementNode) || !isElementInsertionPossible(parent, child)) {
 				throw new DOMException(HIERARCHY_REQUEST_ERR, 'Only one element can be added and only after doctype');
 			}
 		}
 		if (isDocTypeNode(node)) {
-			if (parentChildNodes.find(isDocTypeNode)) {
+			if (find(parentChildNodes, isDocTypeNode)) {
 				throw new DOMException(HIERARCHY_REQUEST_ERR, 'Only one doctype is allowed');
 			}
-			let parentElementChild = parentChildNodes.find(isElementNode);
+			var parentElementChild = find(parentChildNodes, isElementNode);
 			if (child && parentChildNodes.indexOf(parentElementChild) < parentChildNodes.indexOf(child)) {
 				throw new DOMException(HIERARCHY_REQUEST_ERR, 'Doctype can only be inserted before an element');
 			}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@xmldom/xmldom",
-  "version": "0.9.0-beta.4",
+  "version": "0.9.0-beta.5",
   "description": "A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.",
   "keywords": [
     "w3c",
@@ -35,8 +35,9 @@
     "stryker": "stryker run",
     "stryker:dry-run": "stryker run -m '' --reporters progress",
     "test": "jest",
+    "testrelease": "npm test && npm run lint",
     "version": "./changelog-has-version.sh",
-    "release": "np --no-yarn"
+    "release": "np --no-yarn --test-script testrelease"
   },
   "engines": {
     "node": ">=10.0.0"