fast-xml-parser - npm Package Compare versions

Comparing version 2.5.0 to 2.5.1

bin/parser.js

@@ -16,3 +16,3 @@ var getAllMatches = require("./util").getAllMatches;
 var cdataRegx = "<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>"
-var tagsRegx = new RegExp("<(\\/?[\\w:-]+)([^>]*)>(<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>)*([^<]+)?","g");
+var tagsRegx = new RegExp("<(\\/?[\\w:\\-\._]+)([^>]*)>(<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>)*([^<]+)?","g");
 
@@ -19,0 +19,0 @@ var defaultOptions = {

bin/util.js

 var getAllMatches = function(string, regex) {
-  //var regex = new RegExp(regex_str,"g");
   var matches = [];
@@ -16,2 +15,15 @@ var match = regex.exec(string);
 
+
+var doesMatch = function(string,regex){
+  var match = regex.exec(string);
+  if(match === null || match === undefined) return false;
+  else return true;
+}
+
+var doesNotMatch = function(string,regex){
+  return !doesMatch(string,regex);
+}
+
+exports.doesMatch = doesMatch
+exports.doesNotMatch = doesNotMatch
 exports.getAllMatches = getAllMatches;

bin/validator.js

@@ -1,5 +0,6 @@
-var getAllMatches = require("./util").getAllMatches;
+var util = require("./util");
 
-var tagsPattern = new RegExp("<\\/?([\\w:\\-]+)\\s*\/?>","g");
-exports.validate = function validate2(xmlData){
+
+var tagsPattern = new RegExp("<\\/?([\\w:\\-_\.]+)\\s*\/?>","g");
+exports.validate = function(xmlData){
     xmlData = xmlData.replace(/\n/g,"");//make it single line
@@ -11,8 +12,8 @@ xmlData = xmlData.replace(/(<!\[CDATA\[.*?\]\]>)/g,"");//Remove all CDATA
     xmlData = xmlData.replace(/(^\s*<\?xml\s*\?>)/g,"");//Remove XML starting tag
-    
     if(xmlData.indexOf("<![CDATA[") > 0 || xmlData.indexOf("<!--") > 0 ) return false;
-    var tags = getAllMatches(xmlData,tagsPattern);
+    var tags = util.getAllMatches(xmlData,tagsPattern);
     if(tags.length === 0) return false; //non xml string
     
     var result = checkForMatchingTag(tags,0);
+    
 
@@ -23,6 +24,16 @@ if(result !== true) return false; else return true;
 
-var attrStringPattern = new RegExp("<[\\w:\-]+(.*?)\/?>","g");
+
+var startsWithXML = new RegExp("^[Xx][Mm][Ll]");
+var startsWith = new RegExp("^([a-zA-Z]|_)[\\w\.\\-_:]*");
+
+function validateTagName(tagname){
+    if(util.doesMatch(tagname,startsWithXML)) return false;
+    else if(util.doesNotMatch(tagname,startsWith)) return false;
+    else return true;
+}
+
+var attrStringPattern = new RegExp("<[\\w:\\-_\.]+(.*?)\/?>","g");
 var attrPattern = new RegExp("\\s+([\\w:\-]+)\\s*=\\s*(['\"])(.*?)\\2","g");
 function validateAttributes(xmlData){
-    var attrStrings = getAllMatches(xmlData,attrStringPattern);
+    var attrStrings = util.getAllMatches(xmlData,attrStringPattern);
     for (i=0;i<attrStrings.length;i++){
@@ -32,3 +43,3 @@ if(attrStrings[i][1].trim().length > 0 && attrStrings[i][1].trim().length < 4){ //invalid attributes
         }else if(attrStrings[i][1].trim().length !== 0){
-            var attrsList = getAllMatches(attrStrings[i][1],attrPattern);
+            var attrsList = util.getAllMatches(attrStrings[i][1],attrPattern);
             var attrNames=[];
@@ -55,7 +66,9 @@ for (j=0;j<attrsList.length;j++){
     }else if(tags[i][0].indexOf("/>") === tags[i][0].length-2){//Self closing tag
+        if(validateTagName(tags[i][0].substring(1)) === false) return -1;
         return checkForMatchingTag(tags,i+1);
 
     }else if(tags.length > i+1){
-        if(tags[i+1][0].indexOf("</") === 0){
-            if(tags[i][1] === tags[i+1][1]) {
+        if(tags[i+1][0].indexOf("</") === 0){//next tag
+            if(validateTagName(tags[i][1]) === false) return -1;
+            if(tags[i][1] === tags[i+1][1]) {//matching with next closing tag
                 return checkForMatchingTag(tags,i+2);
@@ -67,3 +80,4 @@ }else {
             var nextIndex = checkForMatchingTag(tags,i+1);
-            if(nextIndex !== -1 && tags[nextIndex][0].indexOf("</") === 0){ 
+            if(nextIndex !== -1 && tags[nextIndex][0].indexOf("</") === 0){
+                if(validateTagName(tags[i][1]) === false) return -1;
                 if(tags[i][1] === tags[nextIndex][1]) {
@@ -70,0 +84,0 @@ return checkForMatchingTag(tags,nextIndex+1);

lib/parser.js

@@ -17,3 +17,3 @@ (function(f){if(typeof exports==="object"&&typeof module!=="undefined"){module.exports=f()}else if(typeof define==="function"&&define.amd){define([],f)}else{var g;if(typeof window!=="undefined"){g=window}else if(typeof global!=="undefined"){g=global}else if(typeof self!=="undefined"){g=self}else{g=this}g.parser = f()}})(function(){var define,module,exports;return (function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o<r.length;o++)s(r[o]);return s})({1:[function(require,module,exports){
 var cdataRegx = "<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>"
-var tagsRegx = new RegExp("<(\\/?[\\w:-]+)([^>]*)>(<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>)*([^<]+)?","g");
+var tagsRegx = new RegExp("<(\\/?[\\w:\\-\._]+)([^>]*)>(<!\\[CDATA\\[([^\\]\\]]*)\\]\\]>)*([^<]+)?","g");
 
@@ -182,3 +182,2 @@ var defaultOptions = {
 var getAllMatches = function(string, regex) {
-  //var regex = new RegExp(regex_str,"g");
   var matches = [];
@@ -197,8 +196,22 @@ var match = regex.exec(string);
 
+
+var doesMatch = function(string,regex){
+  var match = regex.exec(string);
+  if(match === null || match === undefined) return false;
+  else return true;
+}
+
+var doesNotMatch = function(string,regex){
+  return !doesMatch(string,regex);
+}
+
+exports.doesMatch = doesMatch
+exports.doesNotMatch = doesNotMatch
 exports.getAllMatches = getAllMatches;
 },{}],3:[function(require,module,exports){
-var getAllMatches = require("./util").getAllMatches;
+var util = require("./util");
 
-var tagsPattern = new RegExp("<\\/?([\\w:\\-]+)\\s*\/?>","g");
-exports.validate = function validate2(xmlData){
+
+var tagsPattern = new RegExp("<\\/?([\\w:\\-_\.]+)\\s*\/?>","g");
+exports.validate = function(xmlData){
     xmlData = xmlData.replace(/\n/g,"");//make it single line
@@ -210,8 +223,8 @@ xmlData = xmlData.replace(/(<!\[CDATA\[.*?\]\]>)/g,"");//Remove all CDATA
     xmlData = xmlData.replace(/(^\s*<\?xml\s*\?>)/g,"");//Remove XML starting tag
-    
     if(xmlData.indexOf("<![CDATA[") > 0 || xmlData.indexOf("<!--") > 0 ) return false;
-    var tags = getAllMatches(xmlData,tagsPattern);
+    var tags = util.getAllMatches(xmlData,tagsPattern);
     if(tags.length === 0) return false; //non xml string
     
     var result = checkForMatchingTag(tags,0);
+    
 
@@ -222,6 +235,16 @@ if(result !== true) return false; else return true;
 
-var attrStringPattern = new RegExp("<[\\w:\-]+(.*?)\/?>","g");
+
+var startsWithXML = new RegExp("^[Xx][Mm][Ll]");
+var startsWith = new RegExp("^([a-zA-Z]|_)[\\w\.\\-_:]*");
+
+function validateTagName(tagname){
+    if(util.doesMatch(tagname,startsWithXML)) return false;
+    else if(util.doesNotMatch(tagname,startsWith)) return false;
+    else return true;
+}
+
+var attrStringPattern = new RegExp("<[\\w:\\-_\.]+(.*?)\/?>","g");
 var attrPattern = new RegExp("\\s+([\\w:\-]+)\\s*=\\s*(['\"])(.*?)\\2","g");
 function validateAttributes(xmlData){
-    var attrStrings = getAllMatches(xmlData,attrStringPattern);
+    var attrStrings = util.getAllMatches(xmlData,attrStringPattern);
     for (i=0;i<attrStrings.length;i++){
@@ -231,3 +254,3 @@ if(attrStrings[i][1].trim().length > 0 && attrStrings[i][1].trim().length < 4){ //invalid attributes
         }else if(attrStrings[i][1].trim().length !== 0){
-            var attrsList = getAllMatches(attrStrings[i][1],attrPattern);
+            var attrsList = util.getAllMatches(attrStrings[i][1],attrPattern);
             var attrNames=[];
@@ -254,7 +277,9 @@ for (j=0;j<attrsList.length;j++){
     }else if(tags[i][0].indexOf("/>") === tags[i][0].length-2){//Self closing tag
+        if(validateTagName(tags[i][0].substring(1)) === false) return -1;
         return checkForMatchingTag(tags,i+1);
 
     }else if(tags.length > i+1){
-        if(tags[i+1][0].indexOf("</") === 0){
-            if(tags[i][1] === tags[i+1][1]) {
+        if(tags[i+1][0].indexOf("</") === 0){//next tag
+            if(validateTagName(tags[i][1]) === false) return -1;
+            if(tags[i][1] === tags[i+1][1]) {//matching with next closing tag
                 return checkForMatchingTag(tags,i+2);
@@ -266,3 +291,4 @@ }else {
             var nextIndex = checkForMatchingTag(tags,i+1);
-            if(nextIndex !== -1 && tags[nextIndex][0].indexOf("</") === 0){ 
+            if(nextIndex !== -1 && tags[nextIndex][0].indexOf("</") === 0){
+                if(validateTagName(tags[i][1]) === false) return -1;
                 if(tags[i][1] === tags[nextIndex][1]) {
@@ -269,0 +295,0 @@ return checkForMatchingTag(tags,nextIndex+1);

package.json

 {
   "name": "fast-xml-parser",
-  "version": "2.5.0",
+  "version": "2.5.1",
   "description": "Validate XML or Parse XML to JS/JSON very fast without C/C++ based libraries",
@@ -5,0 +5,0 @@ "main": "./bin/parser.js",

New alerts

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Fixed alerts

Dynamic require

Supply chain risk

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Found 1 instance in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

185131

0.87%

Lines of code

563

7.24%

No dependency changes