@xmldom/xmldom 0.9.8 → 0.9.9

package/CHANGELOG.md

@@ -4,6 +4,54 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.9](https://github.com/xmldom/xmldom/compare/0.9.8...0.9.9)
+
+### Added
+
+- implement `ParentNode.children` getter [`#960`](https://github.com/xmldom/xmldom/pull/960) / [`#410`](https://github.com/xmldom/xmldom/issues/410)
+
+### Fixed
+
+- Security: `createCDATASection` now throws `InvalidCharacterError` when `data` contains `"]]>"`, as required by the [WHATWG DOM spec](https://dom.spec.whatwg.org/#dom-document-createcdatasection). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+- Security: `XMLSerializer` now splits CDATASection nodes whose data contains `"]]>"` into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (`appendData`, `replaceData`, `.data =`, `.textContent =`). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+- correctly traverse ancestor chain in `Node.contains` [`#931`](https://github.com/xmldom/xmldom/pull/931)
+
+Code that passes a string containing `"]]>"` to `createCDATASection` and relied on the previously unsafe behavior will now receive `InvalidCharacterError`. Use a mutation method such as `appendData` if you intentionally need `"]]>"` in a CDATASection node's data.
+
+### Chore
+
+- updated dependencies
+
+Thank you,
+[@stevenobiajulu](https://github.com/stevenobiajulu),
+[@yoshi389111](https://github.com/yoshi389111),
+[@thesmartshadow](https://github.com/thesmartshadow),
+for your contributions
+
+
+## [0.8.12](https://github.com/xmldom/xmldom/compare/0.8.11...0.8.12)
+
+### Fixed
+
+- preserve trailing whitespace in ProcessingInstruction data [`#962`](https://github.com/xmldom/xmldom/pull/962) / [`#42`](https://github.com/xmldom/xmldom/issues/42)
+- Security: `createCDATASection` now throws `InvalidCharacterError` when `data` contains `"]]>"`, as required by the [WHATWG DOM spec](https://dom.spec.whatwg.org/#dom-document-createcdatasection). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+- Security: `XMLSerializer` now splits CDATASection nodes whose data contains `"]]>"` into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (`appendData`, `replaceData`, `.data =`, `.textContent =`). [`GHSA-wh4c-j3r5-mjhp`](https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp)
+
+Code that passes a string containing `"]]>"` to `createCDATASection` and relied on the previously unsafe behavior will now receive `InvalidCharacterError`. Use a mutation method such as `appendData` if you intentionally need `"]]>"` in a CDATASection node's data.
+
+Thank you,
+[@thesmartshadow](https://github.com/thesmartshadow),
+[@stevenobiajulu](https://github.com/stevenobiajulu),
+for your contributions
+
+## [0.8.11](https://github.com/xmldom/xmldom/compare/0.8.10...0.8.11)
+
+### Fixed
+
+- update `ownerDocument` when moving nodes between documents [`#933`](https://github.com/xmldom/xmldom/pull/933) / [`#932`](https://github.com/xmldom/xmldom/issues/932)
+
+Thank you, [@shunkica](https://github.com/shunkica), for your contributions
+
 ## [0.9.8](https://github.com/xmldom/xmldom/compare/0.9.8...0.9.7)
 
 ### Fixed

package/index.d.ts

@@ -827,6 +827,15 @@ declare module '@xmldom/xmldom' {
 		 */
 		readonly tagName: string;
 
+		/**
+		 * Returns a live collection of the direct child elements of this element.
+		 *
+		 * [MDN Reference](https://developer.mozilla.org/docs/Web/API/Element/children)
+		 *
+		 * @see https://dom.spec.whatwg.org/#dom-parentnode-children
+		 */
+		readonly children: LiveNodeList<Element>;
+
 		/**
 		 * Returns element's first attribute whose qualified name is qualifiedName, and null if there
 		 * is no such attribute otherwise.
@@ -1085,6 +1094,16 @@ declare module '@xmldom/xmldom' {
 	 */
 	interface DocumentFragment extends Node {
 		readonly ownerDocument: Document;
+
+		/**
+		 * Returns a live collection of the direct child elements of this document fragment.
+		 *
+		 * [MDN Reference](https://developer.mozilla.org/docs/Web/API/DocumentFragment/children)
+		 *
+		 * @see https://dom.spec.whatwg.org/#dom-parentnode-children
+		 */
+		readonly children: LiveNodeList<Element>;
+
 		getElementById(elementId: string): Element | null;
 	}
 	var DocumentFragment: InstanceOf<DocumentFragment>;
@@ -1152,6 +1171,15 @@ declare module '@xmldom/xmldom' {
 		 */
 		readonly documentElement: Element | null;
 
+		/**
+		 * Returns a live collection of the direct child elements of this document.
+		 *
+		 * [MDN Reference](https://developer.mozilla.org/docs/Web/API/Document/children)
+		 *
+		 * @see https://dom.spec.whatwg.org/#dom-parentnode-children
+		 */
+		readonly children: LiveNodeList<Element>;
+
 		/**
 		 * Creates an attribute object with a specified name.
 		 *
@@ -1163,9 +1191,15 @@ declare module '@xmldom/xmldom' {
 		createAttributeNS(namespace: string | null, qualifiedName: string): Attr;
 
 		/**
-		 * Returns a CDATASection node whose data is data.
+		 * Returns a new CDATASection node whose data is `data`.
+		 *
+		 * __This implementation differs from the specification:__ - calling this method on an HTML
+		 * document does not throw `NotSupportedError`.
 		 *
-		 * [MDN Reference](https://developer.mozilla.org/docs/Web/API/Document/createCDATASection)
+		 * @throws {DOMException}
+		 * With code `INVALID_CHARACTER_ERR` if `data` contains `"]]>"`.
+		 * @see https://developer.mozilla.org/en-US/docs/Web/API/Document/createCDATASection
+		 * @see https://dom.spec.whatwg.org/#dom-document-createcdatasection
 		 */
 		createCDATASection(data: string): CDATASection;
 
@@ -1430,6 +1464,16 @@ declare module '@xmldom/xmldom' {
 	}
 
 	class XMLSerializer {
+		/**
+		 * Returns the result of serializing `node` to XML.
+		 *
+		 * __This implementation differs from the specification:__ - CDATASection nodes whose data
+		 * contains `]]>` are serialized by splitting the section at each `]]>` occurrence (following
+		 * W3C DOM Level 3 Core `split-cdata-sections`
+		 * default behaviour). A configurable option is not yet implemented.
+		 *
+		 * @see https://html.spec.whatwg.org/#dom-xmlserializer-serializetostring
+		 */
 		serializeToString(node: Node, nodeFilter?: (node: Node) => boolean): string;
 	}
 	// END ./lib/dom.js

package/lib/dom.js

@@ -1082,7 +1082,7 @@ Node.prototype = {
 		var parent = other;
 		do {
 			if (this === parent) return true;
-			parent = other.parentNode;
+			parent = parent.parentNode;
 		} while (parent);
 		return false;
 	},
@@ -2210,10 +2210,22 @@ Document.prototype = {
 		return node;
 	},
 	/**
+	 * Returns a new CDATASection node whose data is `data`.
+	 *
+	 * __This implementation differs from the specification:__ - calling this method on an HTML
+	 * document does not throw `NotSupportedError`.
+	 *
 	 * @param {string} data
 	 * @returns {CDATASection}
+	 * @throws {DOMException}
+	 * With code `INVALID_CHARACTER_ERR` if `data` contains `"]]>"`.
+	 * @see https://developer.mozilla.org/en-US/docs/Web/API/Document/createCDATASection
+	 * @see https://dom.spec.whatwg.org/#dom-document-createcdatasection
 	 */
 	createCDATASection: function (data) {
+		if (data.indexOf(']]>') !== -1) {
+			throw new DOMException(DOMException.INVALID_CHARACTER_ERR, 'data contains "]]>"');
+		}
 		var node = new CDATASection(PDC);
 		node.ownerDocument = this;
 		node.childNodes = new NodeList();
@@ -2693,6 +2705,19 @@ function ProcessingInstruction(symbol) {
 ProcessingInstruction.prototype.nodeType = PROCESSING_INSTRUCTION_NODE;
 _extends(ProcessingInstruction, CharacterData);
 function XMLSerializer() {}
+/**
+ * Returns the result of serializing `node` to XML.
+ *
+ * __This implementation differs from the specification:__ - CDATASection nodes whose data
+ * contains `]]>` are serialized by splitting the section at each `]]>` occurrence (following
+ * W3C DOM Level 3 Core `split-cdata-sections`
+ * default behaviour). A configurable option is not yet implemented.
+ *
+ * @param {Node} node
+ * @param {function} [nodeFilter]
+ * @returns {string}
+ * @see https://html.spec.whatwg.org/#dom-xmlserializer-serializetostring
+ */
 XMLSerializer.prototype.serializeToString = function (node, nodeFilter) {
 	return nodeSerializeToString.call(node, nodeFilter);
 };
@@ -2917,7 +2942,7 @@ function serializeToString(node, buf, nodeFilter, visibleNamespaces) {
 			 */
 			return buf.push(node.data.replace(/[<&>]/g, _xmlEncoder));
 		case CDATA_SECTION_NODE:
-			return buf.push(g.CDATA_START, node.data, g.CDATA_END);
+			return buf.push(g.CDATA_START, node.data.replace(/]]>/g, ']]]]><![CDATA[>'), g.CDATA_END);
 		case COMMENT_NODE:
 			return buf.push(g.COMMENT_START, node.data, g.COMMENT_END);
 		case DOCUMENT_TYPE_NODE:
@@ -3051,6 +3076,22 @@ function cloneNode(doc, node, deep) {
 function __set__(object, key, value) {
 	object[key] = value;
 }
+
+// Returns a new array of direct Element children.
+// Passed to LiveNodeList to implement ParentNode.children.
+// https://dom.spec.whatwg.org/#dom-parentnode-children
+function childrenRefresh(node) {
+	var ls = [];
+	var child = node.firstChild;
+	while (child) {
+		if (child.nodeType === ELEMENT_NODE) {
+			ls.push(child);
+		}
+		child = child.nextSibling;
+	}
+	return ls;
+}
+
 //do dynamic
 try {
 	if (Object.defineProperty) {
@@ -3104,6 +3145,22 @@ try {
 			}
 		}
 
+		Object.defineProperty(Element.prototype, 'children', {
+			get: function () {
+				return new LiveNodeList(this, childrenRefresh);
+			},
+		});
+		Object.defineProperty(Document.prototype, 'children', {
+			get: function () {
+				return new LiveNodeList(this, childrenRefresh);
+			},
+		});
+		Object.defineProperty(DocumentFragment.prototype, 'children', {
+			get: function () {
+				return new LiveNodeList(this, childrenRefresh);
+			},
+		});
+
 		__set__ = function (object, key, value) {
 			//console.log(value)
 			object['$$' + key] = value;

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@xmldom/xmldom",
-	"version": "0.9.8",
+	"version": "0.9.9",
 	"description": "A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.",
 	"keywords": [
 		"w3c",
@@ -30,6 +30,7 @@
 	"scripts": {
 		"lint": "eslint examples lib test",
 		"format": "prettier --write examples lib test index.d.ts",
+		"format:check": "prettier --check examples lib test index.d.ts",
 		"changelog": "auto-changelog --unreleased-only",
 		"start": "nodemon --watch package.json --watch lib --watch test --exec 'npm --silent run test && npm --silent run lint'",
 		"test": "jest",
@@ -43,21 +44,21 @@
 		"node": ">=14.6"
 	},
 	"devDependencies": {
-		"@homer0/prettier-plugin-jsdoc": "9.1.0",
+		"@homer0/prettier-plugin-jsdoc": "10.0.0",
 		"auto-changelog": "2.5.0",
 		"eslint": "8.57.1",
-		"eslint-config-prettier": "10.0.1",
+		"eslint-config-prettier": "10.1.8",
 		"eslint-plugin-anti-trojan-source": "1.1.1",
 		"eslint-plugin-es5": "1.5.0",
-		"eslint-plugin-n": "17.15.1",
-		"eslint-plugin-prettier": "5.2.3",
+		"eslint-plugin-n": "17.21.3",
+		"eslint-plugin-prettier": "5.5.4",
 		"get-stream": "6.0.1",
 		"jest": "29.7.0",
-		"nodemon": "3.1.9",
+		"nodemon": "3.1.10",
 		"np": "8.0.4",
-		"prettier": "3.5.2",
+		"prettier": "3.6.2",
 		"xmltest": "2.0.3",
-		"yauzl": "3.2.0"
+		"yauzl": "3.2.1"
 	},
 	"bugs": {
 		"url": "https://github.com/xmldom/xmldom/issues"
@@ -69,5 +70,5 @@
 		"tagPrefix": "",
 		"template": "./auto-changelog.hbs"
 	},
-	"packageManager": "npm@11.1.0+sha512.acf301ad9b9ddba948fcb72341e2f0fcae477f56a95cc2a092934d133a7461062633cefbf93d5934a3dc0768674e2edee9f04dcfcc4bb4c327ff0e3a7d552a1b"
+	"packageManager": "npm@11.6.3+sha512.4085a763162e0e3acd19a4e9d23ad3aa0978e501ccf947dd7233c12a689ae0bb0190763c4ef12366990056b34eec438903ffed38fde4fbd722a17c2a7407ee92"
 }

package/readme.md

@@ -289,6 +289,13 @@ import { DOMParser } from '@xmldom/xmldom'
   - `isDefaultNamespace(namespaceURI)`
   - `lookupNamespaceURI(prefix)`
 
+### DOM Living Standard support:
+
+* [ParentNode](https://dom.spec.whatwg.org/#interface-parentnode) mixin (on `Document`, `DocumentFragment`, `Element`)
+
+  readonly attribute:
+  - `children`
+
 ### DOM extension by xmldom
 
 * [Node] Source position extension;