fast-xml-parser 4.5.2 → 4.5.4

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 <small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>
 
+**4.5.4 / 2026-02-26**
+- support strictReservedNames
+- support captureMetaData
+- support maxNestedTags
+- handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
+- Improve security and performance of entity processing
+  - new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
+  - fast return when no edtity is present
+  - improvement replacement logic to reduce number of calls
+- fix: Escape regex char in entity name
+- fix: handle HTML numeric and hex entities when out of range
+- fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
+- Use Uint8Array in place of Buffer in Parser
+- Support EMPTY and ANY with ELEMENT in DOCTYPE
+- fix: support numeric entities with values over 0xFFFF (#726) (By Marc Durdin)
+
+
 **4.5.2 / 2025-02-18**
 - Fix null CDATA to comply with undefined behavior (#701) (By [Matthieu BOHEAS](https://github.com/Kelgors))
 - Fix(performance): Update check for leaf node in saveTextToParentTag function in OrderedObjParser.js (#707) (By [...](https://github.com/tomingtoming))

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "fast-xml-parser",
-  "version": "4.5.2",
+  "version": "4.5.4",
   "description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",
   "main": "./src/fxp.js",
   "scripts": {
-    "test": "nyc --reporter=lcov --reporter=text jasmine spec/*spec.js",
+    "test": "c8 --reporter=lcov --reporter=text jasmine spec/*spec.js",
     "test-types": "tsc --noEmit spec/typings/typings-test.ts",
     "unit": "jasmine",
-    "coverage": "nyc report --reporter html --reporter text -t .nyc_output --report-dir .nyc_output/summary",
     "perf": "node ./benchmark/perfTest3.js",
     "lint": "eslint src/*.js spec/*.js",
     "bundle": "webpack --config webpack-prod.config.js",
@@ -49,10 +48,10 @@
     "@babel/register": "^7.13.8",
     "@types/node": "20",
     "babel-loader": "^8.2.2",
+    "c8": "^10.1.3",
     "eslint": "^8.3.0",
     "he": "^1.2.0",
     "jasmine": "^3.6.4",
-    "nyc": "^15.1.0",
     "prettier": "^1.19.1",
     "publish-please": "^5.5.2",
     "typescript": "5",
@@ -60,11 +59,13 @@
     "webpack-cli": "^4.9.1"
   },
   "typings": "src/fxp.d.ts",
-  "funding": [{
-    "type": "github",
-    "url": "https://github.com/sponsors/NaturalIntelligence"
-  }],
+  "funding": [
+    {
+      "type": "github",
+      "url": "https://github.com/sponsors/NaturalIntelligence"
+    }
+  ],
   "dependencies": {
     "strnum": "^1.0.5"
   }
-}
+}

package/src/fxp.d.ts

@@ -1,4 +1,60 @@
-type X2jOptions = {
+export type ProcessEntitiesOptions = {
+  /**
+   * Whether to enable entity processing
+   * 
+   * Defaults to `true`
+   */
+  enabled?: boolean;
+
+  /**
+   * Maximum size in characters for a single entity definition
+   * 
+   * Defaults to `10000`
+   */
+  maxEntitySize?: number;
+
+  /**
+   * Maximum depth for nested entity references (reserved for future use)
+   * 
+   * Defaults to `10`
+   */
+  maxExpansionDepth?: number;
+
+  /**
+   * Maximum total number of entity expansions allowed
+   * 
+   * Defaults to `1000`
+   */
+  maxTotalExpansions?: number;
+
+  /**
+   * Maximum total expanded content length in characters
+   * 
+   * Defaults to `100000`
+   */
+  maxExpandedLength?: number;
+
+  /**
+   * Array of tag names where entity replacement is allowed.
+   * If null, entities are replaced in all tags.
+   * 
+   * Defaults to `null`
+   */
+  allowedTags?: string[] | null;
+
+  /**
+   * Custom filter function to determine if entities should be replaced in a tag
+   * 
+   * @param tagName - The name of the current tag
+   * @param jPath - The jPath of the current tag
+   * @returns `true` to allow entity replacement, `false` to skip
+   * 
+   * Defaults to `null`
+   */
+  tagFilter?: ((tagName: string, jPath: string) => boolean) | null;
+};
+
+export type X2jOptions = {
   /**
    * Preserve the order of tags in resulting JS object
    * 
@@ -10,7 +66,7 @@ type X2jOptions = {
    * Give a prefix to the attribute name in the resulting JS object
    * 
    * Defaults to '@_'
-   */  
+   */
   attributeNamePrefix?: string;
 
   /**
@@ -64,7 +120,7 @@ type X2jOptions = {
   parseTagValue?: boolean;
 
   /**
-   * Whether to parse tag value with `strnum` package
+   * Whether to parse attribute value with `strnum` package
    * 
    * Defaults to `false`
    */
@@ -161,9 +217,15 @@ type X2jOptions = {
   /**
    * Whether to process default and DOCTYPE entities
    * 
+   * When `true` - enables entity processing with default limits
+   * 
+   * When `false` - disables all entity processing
+   * 
+   * When `ProcessEntitiesOptions` - enables entity processing with custom configuration
+   * 
    * Defaults to `true`
    */
-  processEntities?: boolean;
+  processEntities?: boolean | ProcessEntitiesOptions;
 
   /**
    * Whether to process HTML entities
@@ -209,24 +271,46 @@ type X2jOptions = {
    * 
    * Defaults to `(tagName, jPath, attrs) => tagName`
    */
-  updateTag?: (tagName: string, jPath: string, attrs: {[k: string]: string}) =>  string | boolean;
+  updateTag?: (tagName: string, jPath: string, attrs: { [k: string]: string }) => string | boolean;
+
+  /**
+   * If true, adds a Symbol to all object nodes, accessible by {@link XMLParser.getMetaDataSymbol} with
+   * metadata about each the node in the XML file.
+   */
+  captureMetaData?: boolean;
+
+  /**
+   * Maximum number of nested tags
+   * 
+   * Defaults to `100`
+   */
+  maxNestedTags?: number;
+
+  /**
+   * Whether to strictly validate tag names
+   * 
+   * Defaults to `true`
+   */
+  strictReservedNames?: boolean;
 };
 
-type strnumOptions = {
+
+
+export type strnumOptions = {
   hex: boolean;
   leadingZeros: boolean,
   skipLike?: RegExp,
   eNotation?: boolean
 }
 
-type validationOptions = {
+export type validationOptions = {
   /**
    * Whether to allow attributes without value
    * 
    * Defaults to `false`
    */
   allowBooleanAttributes?: boolean;
-  
+
   /**
    * List of tags without closing tags
    * 
@@ -235,12 +319,12 @@ type validationOptions = {
   unpairedTags?: string[];
 };
 
-type XmlBuilderOptions = {
+export type XmlBuilderOptions = {
   /**
    * Give a prefix to the attribute name in the resulting JS object
    * 
    * Defaults to '@_'
-   */  
+   */
   attributeNamePrefix?: string;
 
   /**
@@ -387,20 +471,20 @@ type XmlBuilderOptions = {
   oneListGroup?: boolean;
 };
 
-type ESchema = string | object | Array<string|object>;
+type ESchema = string | object | Array<string | object>;
 
-type ValidationError = {
-  err: { 
+export type ValidationError = {
+  err: {
     code: string;
     msg: string,
     line: number,
-    col: number 
+    col: number
   };
 };
 
 export class XMLParser {
   constructor(options?: X2jOptions);
-  parse(xmlData: string | Buffer ,validationOptions?: validationOptions | boolean): any;
+  parse(xmlData: string | Uint8Array, validationOptions?: validationOptions | boolean): any;
   /**
    * Add Entity which is not by default supported by this library
    * @param entityIdentifier {string} Eg: 'ent' for &ent;
@@ -409,10 +493,10 @@ export class XMLParser {
   addEntity(entityIdentifier: string, entityValue: string): void;
 }
 
-export class XMLValidator{
-  static validate(  xmlData: string,  options?: validationOptions): true | ValidationError;
+export class XMLValidator {
+  static validate(xmlData: string, options?: validationOptions): true | ValidationError;
 }
 export class XMLBuilder {
   constructor(options?: XmlBuilderOptions);
-  build(jObj: any): any;
+  build(jObj: any): string;
 }

package/src/xmlbuilder/orderedJs2Xml.js

@@ -18,10 +18,21 @@ function arrToStr(arr, options, jPath, indentation) {
     let xmlStr = "";
     let isPreviousElementTag = false;
 
+
+    if (!Array.isArray(arr)) {
+        // Non-array values (e.g. string tag values) should be treated as text content
+        if (arr !== undefined && arr !== null) {
+            let text = arr.toString();
+            text = replaceEntitiesValue(text, options);
+            return text;
+        }
+        return "";
+    }
+
     for (let i = 0; i < arr.length; i++) {
         const tagObj = arr[i];
         const tagName = propName(tagObj);
-        if(tagName === undefined) continue;
+        if (tagName === undefined) continue;
 
         let newJPath = "";
         if (jPath.length === 0) newJPath = tagName
@@ -92,7 +103,7 @@ function propName(obj) {
     const keys = Object.keys(obj);
     for (let i = 0; i < keys.length; i++) {
         const key = keys[i];
-        if(!obj.hasOwnProperty(key)) continue;
+        if (!Object.prototype.hasOwnProperty.call(obj, key)) continue;
         if (key !== ":@") return key;
     }
 }
@@ -101,7 +112,7 @@ function attr_to_str(attrMap, options) {
     let attrStr = "";
     if (attrMap && !options.ignoreAttributes) {
         for (let attr in attrMap) {
-            if(!attrMap.hasOwnProperty(attr)) continue;
+            if (!Object.prototype.hasOwnProperty.call(attrMap, attr)) continue;
             let attrVal = options.attributeValueProcessor(attr, attrMap[attr]);
             attrVal = replaceEntitiesValue(attrVal, options);
             if (attrVal === true && options.suppressBooleanAttributes) {