fast-xml-parser 4.5.3 → 4.5.5

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 <small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>
 
+**4.5.4 / 2026-02-26**
+- support strictReservedNames
+- support captureMetaData
+- support maxNestedTags
+- handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
+- Improve security and performance of entity processing
+  - new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
+  - fast return when no edtity is present
+  - improvement replacement logic to reduce number of calls
+- fix: Escape regex char in entity name
+- fix: handle HTML numeric and hex entities when out of range
+- fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute
+- Use Uint8Array in place of Buffer in Parser
+- Support EMPTY and ANY with ELEMENT in DOCTYPE
+- fix: support numeric entities with values over 0xFFFF (#726) (By Marc Durdin)
+
+
 **4.5.2 / 2025-02-18**
 - Fix null CDATA to comply with undefined behavior (#701) (By [Matthieu BOHEAS](https://github.com/Kelgors))
 - Fix(performance): Update check for leaf node in saveTextToParentTag function in OrderedObjParser.js (#707) (By [...](https://github.com/tomingtoming))

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "fast-xml-parser",
-  "version": "4.5.3",
+  "version": "4.5.5",
   "description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",
   "main": "./src/fxp.js",
   "scripts": {
-    "test": "nyc --reporter=lcov --reporter=text jasmine spec/*spec.js",
+    "test": "c8 --reporter=lcov --reporter=text jasmine spec/*spec.js",
     "test-types": "tsc --noEmit spec/typings/typings-test.ts",
     "unit": "jasmine",
-    "coverage": "nyc report --reporter html --reporter text -t .nyc_output --report-dir .nyc_output/summary",
     "perf": "node ./benchmark/perfTest3.js",
     "lint": "eslint src/*.js spec/*.js",
     "bundle": "webpack --config webpack-prod.config.js",
@@ -49,10 +48,10 @@
     "@babel/register": "^7.13.8",
     "@types/node": "20",
     "babel-loader": "^8.2.2",
+    "c8": "^10.1.3",
     "eslint": "^8.3.0",
     "he": "^1.2.0",
     "jasmine": "^3.6.4",
-    "nyc": "^15.1.0",
     "prettier": "^1.19.1",
     "publish-please": "^5.5.2",
     "typescript": "5",
@@ -67,6 +66,6 @@
     }
   ],
   "dependencies": {
-    "strnum": "^1.1.1"
+    "strnum": "^1.0.5"
   }
-}
+}

package/src/fxp.d.ts

@@ -1,4 +1,67 @@
-type X2jOptions = {
+export type ProcessEntitiesOptions = {
+  /**
+   * Whether to enable entity processing
+   * 
+   * Defaults to `true`
+   */
+  enabled?: boolean;
+
+  /**
+   * Maximum size in characters for a single entity definition
+   * 
+   * Defaults to `10000`
+   */
+  maxEntitySize?: number;
+
+  /**
+   * Maximum depth for nested entity references (reserved for future use)
+   * 
+   * Defaults to `10`
+   */
+  maxExpansionDepth?: number;
+
+  /**
+   * Maximum total number of entity expansions allowed
+   * 
+   * Defaults to `1000`
+   */
+  maxTotalExpansions?: number;
+
+  /**
+   * Maximum total expanded content length in characters
+   * 
+   * Defaults to `100000`
+   */
+  maxExpandedLength?: number;
+
+  /**
+   * Maximum number of entities allowed in the XML
+   * 
+   * Defaults to `100`
+   */
+  maxEntityCount?: number;
+
+  /**
+   * Array of tag names where entity replacement is allowed.
+   * If null, entities are replaced in all tags.
+   * 
+   * Defaults to `null`
+   */
+  allowedTags?: string[] | null;
+
+  /**
+   * Custom filter function to determine if entities should be replaced in a tag
+   * 
+   * @param tagName - The name of the current tag
+   * @param jPath - The jPath of the current tag
+   * @returns `true` to allow entity replacement, `false` to skip
+   * 
+   * Defaults to `null`
+   */
+  tagFilter?: ((tagName: string, jPath: string) => boolean) | null;
+};
+
+export type X2jOptions = {
   /**
    * Preserve the order of tags in resulting JS object
    * 
@@ -10,7 +73,7 @@ type X2jOptions = {
    * Give a prefix to the attribute name in the resulting JS object
    * 
    * Defaults to '@_'
-   */  
+   */
   attributeNamePrefix?: string;
 
   /**
@@ -64,7 +127,7 @@ type X2jOptions = {
   parseTagValue?: boolean;
 
   /**
-   * Whether to parse tag value with `strnum` package
+   * Whether to parse attribute value with `strnum` package
    * 
    * Defaults to `false`
    */
@@ -161,9 +224,15 @@ type X2jOptions = {
   /**
    * Whether to process default and DOCTYPE entities
    * 
+   * When `true` - enables entity processing with default limits
+   * 
+   * When `false` - disables all entity processing
+   * 
+   * When `ProcessEntitiesOptions` - enables entity processing with custom configuration
+   * 
    * Defaults to `true`
    */
-  processEntities?: boolean;
+  processEntities?: boolean | ProcessEntitiesOptions;
 
   /**
    * Whether to process HTML entities
@@ -209,24 +278,56 @@ type X2jOptions = {
    * 
    * Defaults to `(tagName, jPath, attrs) => tagName`
    */
-  updateTag?: (tagName: string, jPath: string, attrs: {[k: string]: string}) =>  string | boolean;
+  updateTag?: (tagName: string, jPath: string, attrs: { [k: string]: string }) => string | boolean;
+
+  /**
+   * If true, adds a Symbol to all object nodes, accessible by {@link XMLParser.getMetaDataSymbol} with
+   * metadata about each the node in the XML file.
+   */
+  captureMetaData?: boolean;
+
+  /**
+   * Maximum number of nested tags
+   * 
+   * Defaults to `100`
+   */
+  maxNestedTags?: number;
+
+  /**
+   * Whether to strictly validate tag names
+   * 
+   * Defaults to `true`
+   */
+  strictReservedNames?: boolean;
+
+  /**
+   * Function to sanitize dangerous property names
+   * 
+   * @param name - The name of the property
+   * @returns {string} The sanitized name
+   * 
+   * Defaults to `(name) => __name`
+   */
+  onDangerousProperty?: (name: string) => string;
 };
 
-type strnumOptions = {
+
+
+export type strnumOptions = {
   hex: boolean;
   leadingZeros: boolean,
   skipLike?: RegExp,
   eNotation?: boolean
 }
 
-type validationOptions = {
+export type validationOptions = {
   /**
    * Whether to allow attributes without value
    * 
    * Defaults to `false`
    */
   allowBooleanAttributes?: boolean;
-  
+
   /**
    * List of tags without closing tags
    * 
@@ -235,12 +336,12 @@ type validationOptions = {
   unpairedTags?: string[];
 };
 
-type XmlBuilderOptions = {
+export type XmlBuilderOptions = {
   /**
    * Give a prefix to the attribute name in the resulting JS object
    * 
    * Defaults to '@_'
-   */  
+   */
   attributeNamePrefix?: string;
 
   /**
@@ -385,22 +486,29 @@ type XmlBuilderOptions = {
 
 
   oneListGroup?: boolean;
+
+  /**
+ * Maximum number of nested tags
+ * 
+ * Defaults to `100`
+ */
+  maxNestedTags?: number;
 };
 
-type ESchema = string | object | Array<string|object>;
+type ESchema = string | object | Array<string | object>;
 
-type ValidationError = {
-  err: { 
+export type ValidationError = {
+  err: {
     code: string;
     msg: string,
     line: number,
-    col: number 
+    col: number
   };
 };
 
 export class XMLParser {
   constructor(options?: X2jOptions);
-  parse(xmlData: string | Buffer ,validationOptions?: validationOptions | boolean): any;
+  parse(xmlData: string | Uint8Array, validationOptions?: validationOptions | boolean): any;
   /**
    * Add Entity which is not by default supported by this library
    * @param entityIdentifier {string} Eg: 'ent' for &ent;
@@ -409,10 +517,10 @@ export class XMLParser {
   addEntity(entityIdentifier: string, entityValue: string): void;
 }
 
-export class XMLValidator{
-  static validate(  xmlData: string,  options?: validationOptions): true | ValidationError;
+export class XMLValidator {
+  static validate(xmlData: string, options?: validationOptions): true | ValidationError;
 }
 export class XMLBuilder {
   constructor(options?: XmlBuilderOptions);
-  build(jObj: any): any;
+  build(jObj: any): string;
 }

package/src/util.js

@@ -5,7 +5,7 @@ const nameChar = nameStartChar + '\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040';
 const nameRegexp = '[' + nameStartChar + '][' + nameChar + ']*'
 const regexName = new RegExp('^' + nameRegexp + '$');
 
-const getAllMatches = function(string, regex) {
+const getAllMatches = function (string, regex) {
   const matches = [];
   let match = regex.exec(string);
   while (match) {
@@ -21,16 +21,16 @@ const getAllMatches = function(string, regex) {
   return matches;
 };
 
-const isName = function(string) {
+const isName = function (string) {
   const match = regexName.exec(string);
   return !(match === null || typeof match === 'undefined');
 };
 
-exports.isExist = function(v) {
+exports.isExist = function (v) {
   return typeof v !== 'undefined';
 };
 
-exports.isEmptyObject = function(obj) {
+exports.isEmptyObject = function (obj) {
   return Object.keys(obj).length === 0;
 };
 
@@ -39,13 +39,13 @@ exports.isEmptyObject = function(obj) {
  * @param {*} target
  * @param {*} a
  */
-exports.merge = function(target, a, arrayMode) {
+exports.merge = function (target, a, arrayMode) {
   if (a) {
     const keys = Object.keys(a); // will return an array of own properties
     const len = keys.length; //don't make it inline
     for (let i = 0; i < len; i++) {
       if (arrayMode === 'strict') {
-        target[keys[i]] = [ a[keys[i]] ];
+        target[keys[i]] = [a[keys[i]]];
       } else {
         target[keys[i]] = a[keys[i]];
       }
@@ -56,7 +56,7 @@ exports.merge = function(target, a, arrayMode) {
   return Object.assign(b,a);
 } */
 
-exports.getValue = function(v) {
+exports.getValue = function (v) {
   if (exports.isExist(v)) {
     return v;
   } else {
@@ -64,9 +64,26 @@ exports.getValue = function(v) {
   }
 };
 
-// const fakeCall = function(a) {return a;};
-// const fakeCallNoReturn = function() {};
+/**
+ * Dangerous property names that could lead to prototype pollution or security issues
+ */
+const DANGEROUS_PROPERTY_NAMES = [
+  // '__proto__',
+  // 'constructor',
+  // 'prototype',
+  'hasOwnProperty',
+  'toString',
+  'valueOf',
+  '__defineGetter__',
+  '__defineSetter__',
+  '__lookupGetter__',
+  '__lookupSetter__'
+];
+
+const criticalProperties = ["__proto__", "constructor", "prototype"];
 
 exports.isName = isName;
 exports.getAllMatches = getAllMatches;
 exports.nameRegexp = nameRegexp;
+exports.DANGEROUS_PROPERTY_NAMES = DANGEROUS_PROPERTY_NAMES;
+exports.criticalProperties = criticalProperties;

package/src/xmlbuilder/orderedJs2Xml.js

@@ -18,10 +18,21 @@ function arrToStr(arr, options, jPath, indentation) {
     let xmlStr = "";
     let isPreviousElementTag = false;
 
+
+    if (!Array.isArray(arr)) {
+        // Non-array values (e.g. string tag values) should be treated as text content
+        if (arr !== undefined && arr !== null) {
+            let text = arr.toString();
+            text = replaceEntitiesValue(text, options);
+            return text;
+        }
+        return "";
+    }
+
     for (let i = 0; i < arr.length; i++) {
         const tagObj = arr[i];
         const tagName = propName(tagObj);
-        if(tagName === undefined) continue;
+        if (tagName === undefined) continue;
 
         let newJPath = "";
         if (jPath.length === 0) newJPath = tagName
@@ -92,7 +103,7 @@ function propName(obj) {
     const keys = Object.keys(obj);
     for (let i = 0; i < keys.length; i++) {
         const key = keys[i];
-        if(!obj.hasOwnProperty(key)) continue;
+        if (!Object.prototype.hasOwnProperty.call(obj, key)) continue;
         if (key !== ":@") return key;
     }
 }
@@ -101,7 +112,7 @@ function attr_to_str(attrMap, options) {
     let attrStr = "";
     if (attrMap && !options.ignoreAttributes) {
         for (let attr in attrMap) {
-            if(!attrMap.hasOwnProperty(attr)) continue;
+            if (!Object.prototype.hasOwnProperty.call(attrMap, attr)) continue;
             let attrVal = options.attributeValueProcessor(attr, attrMap[attr]);
             attrVal = replaceEntitiesValue(attrVal, options);
             if (attrVal === true && options.suppressBooleanAttributes) {