fast-xml-parser - npm Package Compare versions

Comparing version 4.2.2 to 4.2.3

CHANGELOG.md

 Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.
 
+**4.2.3 / 2023-06-05**
+* fix security bug
+
 **4.2.2 / 2023-04-18**
@@ -4,0 +7,0 @@ * fix #562: fix unpaired tag when it comes in last of a nested tag. Also throw error when unpaired tag is used as closing tag

package.json

 {
   "name": "fast-xml-parser",
-  "version": "4.2.2",
+  "version": "4.2.3",
   "description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",
@@ -5,0 +5,0 @@ "main": "./src/fxp.js",

src/xmlparser/DocTypeReader.js

@@ -22,3 +22,3 @@ //TODO: handle comments
                     if(val.indexOf("&") === -1) //Parameter entities are not supported
-                        entities[ entityName ] = {
+                        entities[ validateEntityName(entityName) ] = {
                             regx : RegExp( `&${entityName};`,"g"),
@@ -144,2 +144,14 @@ val: val
 
+//an entity name should not contains special characters that may be used in regex
+//Eg !?\\\/[]$%{}^&*()<>
+const specialChar = "!?\\\/[]$%{}^&*()<>";
+
+function validateEntityName(name){
+    for (let i = 0; i < specialChar.length; i++) {
+        const ch = specialChar[i];
+        if(name.indexOf(ch) !== -1) throw new Error(`Invalid character ${ch} in entity name`);
+    }
+    return name;
+}
+
 module.exports = readDocType;

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

104474

increased by0.44%

Lines of code

1974

increased by0.51%

No dependency changes