fast-xml-parser 4.2.2 → 4.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,11 @@
1
1
  Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.
2
2
 
3
+ **4.2.4 / 2023-06-06**
4
+ * fix security bug
5
+
6
+ **4.2.3 / 2023-06-05**
7
+ * fix security bug
8
+
3
9
  **4.2.2 / 2023-04-18**
4
10
  * fix #562: fix unpaired tag when it comes in last of a nested tag. Also throw error when unpaired tag is used as closing tag
5
11
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "fast-xml-parser",
3
- "version": "4.2.2",
3
+ "version": "4.2.4",
4
4
  "description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",
5
5
  "main": "./src/fxp.js",
6
6
  "scripts": {
@@ -19,7 +19,7 @@ function readDocType(xmlData, i){
19
19
  i += 7;
20
20
  [entityName, val,i] = readEntityExp(xmlData,i+1);
21
21
  if(val.indexOf("&") === -1) //Parameter entities are not supported
22
- entities[ entityName ] = {
22
+ entities[ validateEntityName(entityName) ] = {
23
23
  regx : RegExp( `&${entityName};`,"g"),
24
24
  val: val
25
25
  };
@@ -140,4 +140,16 @@ function isNotation(xmlData, i){
140
140
  return false
141
141
  }
142
142
 
143
+ //an entity name should not contains special characters that may be used in regex
144
+ //Eg !?\\\/[]$%{}^&*()<>
145
+ const specialChar = "!?\\\/[]$%{}^&*()<>|+";
146
+
147
+ function validateEntityName(name){
148
+ for (let i = 0; i < specialChar.length; i++) {
149
+ const ch = specialChar[i];
150
+ if(name.indexOf(ch) !== -1) throw new Error(`Invalid character ${ch} in entity name`);
151
+ }
152
+ return name;
153
+ }
154
+
143
155
  module.exports = readDocType;