🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

fast-xml-parser

Package Overview
Dependencies
Maintainers
1
Versions
197
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

fast-xml-parser - npm Package Compare versions

Comparing version
4.5.6
to
4.5.7
+3
-0
CHANGELOG.md
<small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>
**4.5.5 / 2026-07-02**
- fix: escape comment and CDATA delimiters when building XML (By [greymoth](https://github.com/greymoth-jp))
**4.5.4 / 2026-02-26**

@@ -4,0 +7,0 @@ - support strictReservedNames

+2
-2
{
"name": "fast-xml-parser",
"version": "4.5.6",
"version": "4.5.7",
"description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",

@@ -71,2 +71,2 @@ "main": "./src/fxp.js",

}
}
}

@@ -209,3 +209,6 @@ 'use strict';

} else if (this.options.commentPropName !== false && key === this.options.commentPropName && piClosingChar.length === 0) {
return this.indentate(level) + `<!--${val}-->` + this.newLine;
const safeVal = String(val)
.replace(/--/g, '- -') // -- is illegal anywhere in comment content
.replace(/-$/, '- '); // trailing - would form --> with the closing delimiter
return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}else {

@@ -246,5 +249,9 @@ return (

if (this.options.cdataPropName !== false && key === this.options.cdataPropName) {
return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;
const safeVal = String(val).replace(/\]\]>/g, ']]]]><![CDATA[>');
return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}else if (this.options.commentPropName !== false && key === this.options.commentPropName) {
return this.indentate(level) + `<!--${val}-->` + this.newLine;
const safeVal = String(val)
.replace(/--/g, '- -') // -- is illegal anywhere in comment content
.replace(/-$/, '- '); // trailing - would form --> with the closing delimiter
return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}else if(key[0] === "?") {//PI tag

@@ -251,0 +258,0 @@ return this.indentate(level) + '<' + key + attrStr+ '?' + this.tagEndChar;

@@ -57,7 +57,11 @@ const EOL = "\n";

}
xmlStr += `<![CDATA[${tagObj[tagName][0][options.textNodeName]}]]>`;
const cdataVal = String(tagObj[tagName][0][options.textNodeName]).replace(/\]\]>/g, ']]]]><![CDATA[>');
xmlStr += `<![CDATA[${cdataVal}]]>`;
isPreviousElementTag = false;
continue;
} else if (tagName === options.commentPropName) {
xmlStr += indentation + `<!--${tagObj[tagName][0][options.textNodeName]}-->`;
const commentVal = String(tagObj[tagName][0][options.textNodeName])
.replace(/--/g, '- -') // -- is illegal anywhere in comment content
.replace(/-$/, '- '); // trailing - would form --> with the closing delimiter
xmlStr += indentation + `<!--${commentVal}-->`;
isPreviousElementTag = true;

@@ -64,0 +68,0 @@ continue;