🚀. Socket Launch Week Day 3:Socket Firewall Now Blocks Malicious VS Code and Open VSX Extensions.Learn more
Sign In

fast-xml-parser

Package Overview
Dependencies
Maintainers
1
Versions
194
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

fast-xml-parser - npm Package Compare versions

Comparing version
5.8.0
 to
5.9.0
+6
-0
CHANGELOG.md

@@ -5,2 +5,8 @@ <small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>

**5.9.0 / 2026-06-15* (not released yet)
- update strnum to 2.3.0
- you can set hex, binary, enotation, infinity, unicode
- validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library.
User can override rules by overriding EntityDecoder.
**5.8.0 / 2026-05-12*

@@ -7,0 +13,0 @@ - integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)

+3
-1
lib/fxp.d.cts

@@ -512,3 +512,5 @@ /**

skipLike?: RegExp,
eNotation?: boolean
eNotation?: boolean,
infinity?: string,
unicode?: boolean
}

@@ -515,0 +517,0 @@ 

+1
-1
lib/fxparser.min.js

@@ -1,2 +0,2 @@

!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.XMLParser=e():t.XMLParser=e()}(this,()=>(()=>{"use strict";var t={d:(e,r)=>{for(var n in r)t.o(r,n)&&!t.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:r[n]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{default:()=>$t});var r=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",n=new RegExp("^["+r+"]["+r+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function i(t,e){for(var r=[],n=e.exec(t);n;){var i=[];i.startIndex=e.lastIndex-n[0].length;for(var a=n.length,s=0;s<a;s++)i.push(n[s]);r.push(i),n=e.exec(t)}return r}var a=function(t){return!(null==n.exec(t))},s=["hasOwnProperty","toString","valueOf","__defineGetter__","__defineSetter__","__lookupGetter__","__lookupSetter__"],o=["__proto__","constructor","prototype"],h=function(t){return s.includes(t)?"__"+t:t},l={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:function(){return!1},commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,entityDecoder:null,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,r){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:h};function u(t,e){if("string"==typeof t){var r=t.toLowerCase();if(s.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution');if(o.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution')}}function d(t,e){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:1e4,maxTotalExpansions:1/0,maxExpandedLength:1e5,maxEntityCount:1e3,allowedTags:null,tagFilter:null,appliesTo:"all"}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,null!=(r=t.maxEntitySize)?r:1e4),maxExpansionDepth:Math.max(1,null!=(n=t.maxExpansionDepth)?n:1e4),maxTotalExpansions:Math.max(1,null!=(i=t.maxTotalExpansions)?i:1/0),maxExpandedLength:Math.max(1,null!=(a=t.maxExpandedLength)?a:1e5),maxEntityCount:Math.max(1,null!=(s=t.maxEntityCount)?s:1e3),allowedTags:null!=(o=t.allowedTags)?o:null,tagFilter:null!=(h=t.tagFilter)?h:null,appliesTo:null!=(l=t.appliesTo)?l:"all"}:d(!0);var r,n,i,a,s,o,h,l}var p,c=function(t){for(var e=Object.assign({},l,t),r=0,n=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];r<n.length;r++){var i=n[r],a=i.value,s=i.name;a&&u(a,s)}return null===e.onDangerousProperty&&(e.onDangerousProperty=h),e.processEntities=d(e.processEntities,e.htmlEntities),e.unpairedTagsSet=new Set(e.unpairedTags),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(function(t){return"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t})),e};p="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");var f=function(){function t(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}var e=t.prototype;return e.add=function(t,e){var r;"__proto__"===t&&(t="#__proto__"),this.child.push(((r={})[t]=e,r))},e.addChild=function(t,e){var r,n;"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push(((r={})[t.tagname]=t.child,r[":@"]=t[":@"],r)):this.child.push(((n={})[t.tagname]=t.child,n)),void 0!==e&&(this.child[this.child.length-1][p]={startIndex:e})},t.getMetaDataSymbol=function(){return p},t}();const g=":A-Za-z_À-ÖØ-öø-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�",m=":A-Za-z_À-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�𐀀-󯿿",v=m+"\\-\\.\\d·̀-ͯ҇‿-⁀",x=(t,e,r="")=>{const n=`[${t.replace(":","")}][${e.replace(":","")}]*`;return{name:new RegExp(`^[${t}][${e}]*$`,r),ncName:new RegExp(`^${n}$`,r),qName:new RegExp(`^${n}(?::${n})?$`,r),nmToken:new RegExp(`^[${e}]+$`,r),nmTokens:new RegExp(`^[${e}]+(?:\\s+[${e}]+)*$`,r)}},b=x(g,g+"\\-\\.\\d·̀-ͯ‿-⁀"),y=x(m,v,"u"),E=(t,{xmlVersion:e="1.0"}={})=>((t="1.0")=>"1.1"===t?y:b)(e).qName.test(t);var N=function(){function t(t,e){this.suppressValidationErr=!t,this.options=t,this.xmlVersion=e||1}var e=t.prototype;return e.setXmlVersion=function(t){void 0===t&&(t=1),this.xmlVersion=t},e.readDocType=function(t,e){var r=Object.create(null),n=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");e+=9;for(var i=1,a=!1,s=!1;e<t.length;e++)if("<"!==t[e]||s)if(">"===t[e]){if(s?"-"===t[e-1]&&"-"===t[e-2]&&(s=!1,i--):i--,0===i)break}else"["===t[e]?a=!0:t[e];else{if(a&&_(t,"!ENTITY",e)){e+=7;var o,h=void 0,l=this.readEntityExp(t,e+1,this.suppressValidationErr);if(o=l[0],h=l[1],e=l[2],-1===h.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&n>=this.options.maxEntityCount)throw new Error("Entity count ("+(n+1)+") exceeds maximum allowed ("+this.options.maxEntityCount+")");r[o]=h,n++}}else if(a&&_(t,"!ELEMENT",e))e+=8,e=this.readElementExp(t,e+1).index;else if(a&&_(t,"!ATTLIST",e))e+=8;else if(a&&_(t,"!NOTATION",e))e+=9,e=this.readNotationExp(t,e+1,this.suppressValidationErr).index;else{if(!_(t,"!--",e))throw new Error("Invalid DOCTYPE");s=!0}i++}if(0!==i)throw new Error("Unclosed DOCTYPE");return{entities:r,i:e}},e.readEntityExp=function(t,e){for(var r=e=w(t,e);e<t.length&&!/\s/.test(t[e])&&'"'!==t[e]&&"'"!==t[e];)e++;var n=t.substring(r,e);if(S(n,{xmlVersion:this.xmlVersion}),e=w(t,e),!this.suppressValidationErr){if("SYSTEM"===t.substring(e,e+6).toUpperCase())throw new Error("External entities are not supported");if("%"===t[e])throw new Error("Parameter entities are not supported")}var i,a=this.readIdentifierVal(t,e,"entity");if(e=a[0],i=a[1],!1!==this.options.enabled&&null!=this.options.maxEntitySize&&i.length>this.options.maxEntitySize)throw new Error('Entity "'+n+'" size ('+i.length+") exceeds maximum allowed size ("+this.options.maxEntitySize+")");return[n,i,--e]},e.readNotationExp=function(t,e){for(var r=e=w(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var n=t.substring(r,e);!this.suppressValidationErr&&S(n,{xmlVersion:this.xmlVersion}),e=w(t,e);var i=t.substring(e,e+6).toUpperCase();if(!this.suppressValidationErr&&"SYSTEM"!==i&&"PUBLIC"!==i)throw new Error('Expected SYSTEM or PUBLIC, found "'+i+'"');e+=i.length,e=w(t,e);var a=null,s=null;if("PUBLIC"===i){var o=this.readIdentifierVal(t,e,"publicIdentifier");if(e=o[0],a=o[1],'"'===t[e=w(t,e)]||"'"===t[e]){var h=this.readIdentifierVal(t,e,"systemIdentifier");e=h[0],s=h[1]}}else if("SYSTEM"===i){var l=this.readIdentifierVal(t,e,"systemIdentifier");if(e=l[0],s=l[1],!this.suppressValidationErr&&!s)throw new Error("Missing mandatory system identifier for SYSTEM notation")}return{notationName:n,publicIdentifier:a,systemIdentifier:s,index:--e}},e.readIdentifierVal=function(t,e,r){var n,i=t[e];if('"'!==i&&"'"!==i)throw new Error('Expected quoted string, found "'+i+'"');for(var a=++e;e<t.length&&t[e]!==i;)e++;if(n=t.substring(a,e),t[e]!==i)throw new Error("Unterminated "+r+" value");return[++e,n]},e.readElementExp=function(t,e){for(var r=e=w(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var n=t.substring(r,e);if(!this.suppressValidationErr&&!E(n,{xmlVersion:this.xmlVersion}))throw new Error('Invalid element name: "'+n+'"');var i="";if("E"===t[e=w(t,e)]&&_(t,"MPTY",e))e+=4;else if("A"===t[e]&&_(t,"NY",e))e+=2;else if("("===t[e]){for(var a=++e;e<t.length&&")"!==t[e];)e++;if(i=t.substring(a,e),")"!==t[e])throw new Error("Unterminated content model")}else if(!this.suppressValidationErr)throw new Error('Invalid Element Expression, found "'+t[e]+'"');return{elementName:n,contentModel:i.trim(),index:e}},e.readAttlistExp=function(t,e){for(var r=e=w(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var n=t.substring(r,e);for(S(n,{xmlVersion:this.xmlVersion}),r=e=w(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);if(!S(i,{xmlVersion:this.xmlVersion}))throw new Error('Invalid attribute name: "'+i+'"');e=w(t,e);var a="";if("NOTATION"===t.substring(e,e+8).toUpperCase()){if(a="NOTATION","("!==t[e=w(t,e+=8)])throw new Error("Expected '(', found \""+t[e]+'"');e++;for(var s=[];e<t.length&&")"!==t[e];){for(var o=e;e<t.length&&"|"!==t[e]&&")"!==t[e];)e++;var h=t.substring(o,e);if(!S(h=h.trim(),{xmlVersion:this.xmlVersion}))throw new Error('Invalid notation name: "'+h+'"');s.push(h),"|"===t[e]&&(e++,e=w(t,e))}if(")"!==t[e])throw new Error("Unterminated list of notations");e++,a+=" ("+s.join("|")+")"}else{for(var l=e;e<t.length&&!/\s/.test(t[e]);)e++;if(a+=t.substring(l,e),!this.suppressValidationErr&&!["CDATA","ID","IDREF","IDREFS","ENTITY","ENTITIES","NMTOKEN","NMTOKENS"].includes(a.toUpperCase()))throw new Error('Invalid attribute type: "'+a+'"')}e=w(t,e);var u="";if("#REQUIRED"===t.substring(e,e+8).toUpperCase())u="#REQUIRED",e+=8;else if("#IMPLIED"===t.substring(e,e+7).toUpperCase())u="#IMPLIED",e+=7;else{var d=this.readIdentifierVal(t,e,"ATTLIST");e=d[0],u=d[1]}return{elementName:n,attributeName:i,attributeType:a,defaultValue:u,index:e}},t}(),w=function(t,e){for(;e<t.length&&/\s/.test(t[e]);)e++;return e};function _(t,e,r){for(var n=0;n<e.length;n++)if(e[n]!==t[r+n+1])return!1;return!0}function S(t,e){if(E(t,{xmlVersion:e}))return t;throw new Error("Invalid entity name "+t)}const T=/^[-+]?0x[a-fA-F0-9]+$/,C=/^0b[01]+$/,A=/^0o[0-7]+$/,I=/^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/,P={hex:!0,binary:!1,octal:!1,leadingZeros:!0,decimalPoint:".",eNotation:!0,infinity:"original"};const M=/^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;function O(t,e){const r=t.trim();if(2!==e&&8!==e||(t=r.substring(2)),parseInt)return parseInt(t,e);if(Number.parseInt)return Number.parseInt(t,e);if(window&&window.parseInt)return window.parseInt(t,e);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}function D(t,e){(null==e||e>t.length)&&(e=t.length);for(var r=0,n=Array(e);r<e;r++)n[r]=t[r];return n}class V{constructor(t){this._matcher=t}get separator(){return this._matcher.separator}getCurrentTag(){const t=this._matcher.path;return t.length>0?t[t.length-1].tag:void 0}getCurrentNamespace(){const t=this._matcher.path;return t.length>0?t[t.length-1].namespace:void 0}getAttrValue(t){const e=this._matcher.path;if(0!==e.length)return e[e.length-1].values?.[t]}hasAttr(t){const e=this._matcher.path;if(0===e.length)return!1;const r=e[e.length-1];return void 0!==r.values&&t in r.values}getPosition(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].position??0}getCounter(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this._matcher.path.length}toString(t,e=!0){return this._matcher.toString(t,e)}toArray(){return this._matcher.path.map(t=>t.tag)}matches(t){return this._matcher.matches(t)}matchesAny(t){return t.matchesAny(this._matcher)}}class k{constructor(t={}){this.separator=t.separator||".",this.path=[],this.siblingStacks=[],this._pathStringCache=null,this._view=new V(this)}push(t,e=null,r=null){this._pathStringCache=null,this.path.length>0&&(this.path[this.path.length-1].values=void 0);const n=this.path.length;this.siblingStacks[n]||(this.siblingStacks[n]=new Map);const i=this.siblingStacks[n],a=r?`${r}:${t}`:t,s=i.get(a)||0;let o=0;for(const t of i.values())o+=t;i.set(a,s+1);const h={tag:t,position:o,counter:s};null!=r&&(h.namespace=r),null!=e&&(h.values=e),this.path.push(h)}pop(){if(0===this.path.length)return;this._pathStringCache=null;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0!==this.path.length)return this.path[this.path.length-1].values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const r=t||this.separator;if(r===this.separator&&!0===e){if(null!==this._pathStringCache)return this._pathStringCache;const t=this.path.map(t=>t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r);return this._pathStringCache=t,t}return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r)}toArray(){return this.path.map(t=>t.tag)}reset(){this._pathStringCache=null,this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e<t.length;e++)if(!this._matchSegment(t[e],this.path[e],e===this.path.length-1))return!1;return!0}_matchWithDeepWildcard(t){let e=this.path.length-1,r=t.length-1;for(;r>=0&&e>=0;){const n=t[r];if("deep-wildcard"===n.type){if(r--,r<0)return!0;const n=t[r];let i=!1;for(let t=e;t>=0;t--)if(this._matchSegment(n,this.path[t],t===this.path.length-1)){e=t-1,r--,i=!0;break}if(!i)return!1}else{if(!this._matchSegment(n,this.path[e],e===this.path.length-1))return!1;e--,r--}}return r<0}_matchSegment(t,e,r){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!r)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue&&String(e.values[t.attrName])!==String(t.attrValue))return!1}if(void 0!==t.position){if(!r)return!1;const n=e.counter??0;if("first"===t.position&&0!==n)return!1;if("odd"===t.position&&n%2!=1)return!1;if("even"===t.position&&n%2!=0)return!1;if("nth"===t.position&&n!==t.positionValue)return!1}return!0}matchesAny(t){return t.matchesAny(this)}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this._pathStringCache=null,this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return this._view}}class ${constructor(t,e={},r){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this.data=r,this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let r=0,n="";for(;r<t.length;)t[r]===this.separator?r+1<t.length&&t[r+1]===this.separator?(n.trim()&&(e.push(this._parseSegment(n.trim())),n=""),e.push({type:"deep-wildcard"}),r+=2):(n.trim()&&e.push(this._parseSegment(n.trim())),n="",r++):(n+=t[r],r++);return n.trim()&&e.push(this._parseSegment(n.trim())),e}_parseSegment(t){const e={type:"tag"};let r=null,n=t;const i=t.match(/^([^\[]+)(\[[^\]]*\])(.*)$/);if(i&&(n=i[1]+i[3],i[2])){const t=i[2].slice(1,-1);t&&(r=t)}let a,s,o=n;if(n.includes("::")){const e=n.indexOf("::");if(a=n.substring(0,e).trim(),o=n.substring(e+2).trim(),!a)throw new Error(`Invalid namespace in pattern: ${t}`)}let h=null;if(o.includes(":")){const t=o.lastIndexOf(":"),e=o.substring(0,t).trim(),r=o.substring(t+1).trim();["first","last","odd","even"].includes(r)||/^nth\(\d+\)$/.test(r)?(s=e,h=r):s=o}else s=o;if(!s)throw new Error(`Invalid segment pattern: ${t}`);if(e.tag=s,a&&(e.namespace=a),r)if(r.includes("=")){const t=r.indexOf("=");e.attrName=r.substring(0,t).trim(),e.attrValue=r.substring(t+1).trim()}else e.attrName=r.trim();if(h){const t=h.match(/^nth\((\d+)\)$/);t?(e.position="nth",e.positionValue=parseInt(t[1],10)):e.position=h}return e}get length(){return this.segments.length}hasDeepWildcard(){return this._hasDeepWildcard}hasAttributeCondition(){return this._hasAttributeCondition}hasPositionSelector(){return this._hasPositionSelector}toString(){return this.pattern}}class j{constructor(){this._byDepthAndTag=new Map,this._wildcardByDepth=new Map,this._deepWildcards=[],this._patterns=new Set,this._sealed=!1}add(t){if(this._sealed)throw new TypeError("ExpressionSet is sealed. Create a new ExpressionSet to add more expressions.");if(this._patterns.has(t.pattern))return this;if(this._patterns.add(t.pattern),t.hasDeepWildcard())return this._deepWildcards.push(t),this;const e=t.length,r=t.segments[t.segments.length-1],n=r?.tag;if(n&&"*"!==n){const r=`${e}:${n}`;this._byDepthAndTag.has(r)||this._byDepthAndTag.set(r,[]),this._byDepthAndTag.get(r).push(t)}else this._wildcardByDepth.has(e)||this._wildcardByDepth.set(e,[]),this._wildcardByDepth.get(e).push(t);return this}addAll(t){for(const e of t)this.add(e);return this}has(t){return this._patterns.has(t.pattern)}get size(){return this._patterns.size}seal(){return this._sealed=!0,this}get isSealed(){return this._sealed}matchesAny(t){return null!==this.findMatch(t)}findMatch(t){const e=t.getDepth(),r=`${e}:${t.getCurrentTag()}`,n=this._byDepthAndTag.get(r);if(n)for(let e=0;e<n.length;e++)if(t.matches(n[e]))return n[e];const i=this._wildcardByDepth.get(e);if(i)for(let e=0;e<i.length;e++)if(t.matches(i[e]))return i[e];for(let e=0;e<this._deepWildcards.length;e++)if(t.matches(this._deepWildcards[e]))return this._deepWildcards[e];return null}}const L={cent:"¢",pound:"£",curren:"¤",yen:"¥",euro:"€",dollar:"$",euro:"€",fnof:"ƒ",inr:"₹",af:"؋",birr:"ብር",peso:"₱",rub:"₽",won:"₩",yuan:"¥",cedil:"¸"},F={amp:"&",apos:"'",gt:">",lt:"<",quot:'"'},R={nbsp:" ",copy:"©",reg:"®",trade:"™",mdash:"—",ndash:"–",hellip:"…",laquo:"«",raquo:"»",lsquo:"‘",rsquo:"’",ldquo:"“",rdquo:"”",bull:"•",para:"¶",sect:"§",deg:"°",frac12:"½",frac14:"¼",frac34:"¾"},U=new Set("!?\\\\/[]$%{}^&*()<>|+");function W(t){if("#"===t[0])throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${t}"`);for(const e of t)if(U.has(e))throw new Error(`[EntityReplacer] Invalid character '${e}' in entity name: "${t}"`);return t}function X(...t){const e=Object.create(null);for(const r of t)if(r)for(const t of Object.keys(r)){const n=r[t];if("string"==typeof n)e[t]=n;else if(n&&"object"==typeof n&&void 0!==n.val){const r=n.val;"string"==typeof r&&(e[t]=r)}}return e}const Y="external",z="base",B="all",q=Object.freeze({allow:0,leave:1,remove:2,throw:3}),G=new Set([9,10,13]);class Z{constructor(t={}){var e;this._limit=t.limit||{},this._maxTotalExpansions=this._limit.maxTotalExpansions||0,this._maxExpandedLength=this._limit.maxExpandedLength||0,this._postCheck="function"==typeof t.postCheck?t.postCheck:t=>t,this._limitTiers=(e=this._limit.applyLimitsTo??Y)&&e!==Y?e===B?new Set([B]):e===z?new Set([z]):Array.isArray(e)?new Set(e):new Set([Y]):new Set([Y]),this._numericAllowed=t.numericAllowed??!0,this._baseMap=X(F,t.namedEntities||null),this._externalMap=Object.create(null),this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this._removeSet=new Set(t.remove&&Array.isArray(t.remove)?t.remove:[]),this._leaveSet=new Set(t.leave&&Array.isArray(t.leave)?t.leave:[]);const r=function(t){if(!t)return{xmlVersion:1,onLevel:q.allow,nullLevel:q.remove};const e=1.1===t.xmlVersion?1.1:1,r=q[t.onNCR]??q.allow,n=q[t.nullNCR]??q.remove;return{xmlVersion:e,onLevel:r,nullLevel:Math.max(n,q.remove)}}(t.ncr);this._ncrXmlVersion=r.xmlVersion,this._ncrOnLevel=r.onLevel,this._ncrNullLevel=r.nullLevel}setExternalEntities(t){if(t)for(const e of Object.keys(t))W(e);this._externalMap=X(t)}addExternalEntity(t,e){W(t),"string"==typeof e&&-1===e.indexOf("&")&&(this._externalMap[t]=e)}addInputEntities(t){this._totalExpansions=0,this._expandedLength=0,this._inputMap=X(t)}reset(){return this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this}setXmlVersion(t){this._ncrXmlVersion=1.1===t?1.1:1}decode(t){if("string"!=typeof t||0===t.length)return t;const e=t,r=[],n=t.length;let i=0,a=0;const s=this._maxTotalExpansions>0,o=this._maxExpandedLength>0,h=s||o;for(;a<n;){if(38!==t.charCodeAt(a)){a++;continue}let e=a+1;for(;e<n&&59!==t.charCodeAt(e)&&e-a<=32;)e++;if(e>=n||59!==t.charCodeAt(e)){a++;continue}const l=t.slice(a+1,e);if(0===l.length){a++;continue}let u,d;if(this._removeSet.has(l))u="",void 0===d&&(d=Y);else{if(this._leaveSet.has(l)){a++;continue}if(35===l.charCodeAt(0)){const t=this._resolveNCR(l);if(void 0===t){a++;continue}u=t,d=z}else{const t=this._resolveName(l);u=t?.value,d=t?.tier}}if(void 0!==u){if(a>i&&r.push(t.slice(i,a)),r.push(u),i=e+1,a=i,h&&this._tierCounts(d)){if(s&&(this._totalExpansions++,this._totalExpansions>this._maxTotalExpansions))throw new Error(`[EntityReplacer] Entity expansion count limit exceeded: ${this._totalExpansions} > ${this._maxTotalExpansions}`);if(o){const t=u.length-(l.length+2);if(t>0&&(this._expandedLength+=t,this._expandedLength>this._maxExpandedLength))throw new Error(`[EntityReplacer] Expanded content length limit exceeded: ${this._expandedLength} > ${this._maxExpandedLength}`)}}}else a++}i<n&&r.push(t.slice(i));const l=0===r.length?t:r.join("");return this._postCheck(l,e)}_tierCounts(t){return!!this._limitTiers.has(B)||this._limitTiers.has(t)}_resolveName(t){return t in this._inputMap?{value:this._inputMap[t],tier:Y}:t in this._externalMap?{value:this._externalMap[t],tier:Y}:t in this._baseMap?{value:this._baseMap[t],tier:z}:void 0}_classifyNCR(t){return 0===t?this._ncrNullLevel:t>=55296&&t<=57343||1===this._ncrXmlVersion&&t>=1&&t<=31&&!G.has(t)?q.remove:-1}_applyNCRAction(t,e,r){switch(t){case q.allow:return String.fromCodePoint(r);case q.remove:return"";case q.leave:return;case q.throw:throw new Error(`[EntityDecoder] Prohibited numeric character reference &${e}; (U+${r.toString(16).toUpperCase().padStart(4,"0")})`);default:return String.fromCodePoint(r)}}_resolveNCR(t){const e=t.charCodeAt(1);let r;if(r=120===e||88===e?parseInt(t.slice(2),16):parseInt(t.slice(1),10),Number.isNaN(r)||r<0||r>1114111)return;const n=this._classifyNCR(r);if(!this._numericAllowed&&n<q.remove)return;const i=-1===n?this._ncrOnLevel:Math.max(this._ncrOnLevel,n);return this._applyNCRAction(i,t,r)}}function J(){return J=Object.assign?Object.assign.bind():function(t){for(var e=1;e<arguments.length;e++){var r=arguments[e];for(var n in r)({}).hasOwnProperty.call(r,n)&&(t[n]=r[n])}return t},J.apply(null,arguments)}function K(t,e){if(!t)return{};var r=e.attributesGroupName?t[e.attributesGroupName]:t;if(!r)return{};var n={};for(var i in r)i.startsWith(e.attributeNamePrefix)?n[i.substring(e.attributeNamePrefix.length)]=r[i]:n[i]=r[i];return n}function Q(t){if(t&&"string"==typeof t){var e=t.indexOf(":");if(-1!==e&&e>0){var r=t.substring(0,e);if("xmlns"!==r)return r}}}var H=function(t,e){var r;this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.parseXml=it,this.parseTextData=tt,this.resolveNameSpace=et,this.buildAttributesMap=nt,this.isItStopNode=ht,this.replaceEntitiesValue=st,this.readStopNodeData=pt,this.saveTextToParentTag=ot,this.addChild=at,this.ignoreAttributesFn="function"==typeof(r=this.options.ignoreAttributes)?r:Array.isArray(r)?function(t){for(var e,n=function(t,e){var r="undefined"!=typeof Symbol&&t[Symbol.iterator]||t["@@iterator"];if(r)return(r=r.call(t)).next.bind(r);if(Array.isArray(t)||(r=function(t,e){if(t){if("string"==typeof t)return D(t,e);var r={}.toString.call(t).slice(8,-1);return"Object"===r&&t.constructor&&(r=t.constructor.name),"Map"===r||"Set"===r?Array.from(t):"Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r)?D(t,e):void 0}}(t))||e&&t&&"number"==typeof t.length){r&&(t=r);var n=0;return function(){return n>=t.length?{done:!0}:{done:!1,value:t[n++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}(r);!(e=n()).done;){var i=e.value;if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:function(){return!1},this.entityExpansionCount=0,this.currentExpandedLength=0;var n=J({},F);this.options.entityDecoder?this.entityDecoder=this.options.entityDecoder:("object"==typeof this.options.htmlEntities?n=this.options.htmlEntities:!0===this.options.htmlEntities&&(n=J({},R,L)),this.entityDecoder=new Z({namedEntities:J({},n,e),numericAllowed:this.options.htmlEntities,limit:{maxTotalExpansions:this.options.processEntities.maxTotalExpansions,maxExpandedLength:this.options.processEntities.maxExpandedLength,applyLimitsTo:this.options.processEntities.appliesTo}})),this.matcher=new k,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.stopNodeExpressionsSet=new j;var i=this.options.stopNodes;if(i&&i.length>0){for(var a=0;a<i.length;a++){var s=i[a];"string"==typeof s?this.stopNodeExpressionsSet.add(new $(s)):s instanceof $&&this.stopNodeExpressionsSet.add(s)}this.stopNodeExpressionsSet.seal()}};function tt(t,e,r,n,i,a,s){var o=this.options;if(void 0!==t&&(o.trimValues&&!n&&(t=t.trim()),t.length>0)){s||(t=this.replaceEntitiesValue(t,e,r));var h=o.jPath?r.toString():r,l=o.tagValueProcessor(e,t,h,i,a);return null==l?t:typeof l!=typeof t||l!==t?l:o.trimValues||t.trim()===t?ct(t,o.parseTagValue,o.numberParseOptions):t}}function et(t){if(this.options.removeNSPrefix){var e=t.split(":"),r="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=r+e[1])}return t}var rt=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function nt(t,e,r,n){void 0===n&&(n=!1);var a=this.options;if(!0===n||!0!==a.ignoreAttributes&&"string"==typeof t){for(var s=i(t,rt),o=s.length,h={},l=new Array(o),u=!1,d={},p=0;p<o;p++){var c=this.resolveNameSpace(s[p][1]),f=s[p][4];if(c.length&&void 0!==f){var g=f;a.trimValues&&(g=g.trim()),g=this.replaceEntitiesValue(g,r,this.readonlyMatcher),l[p]=g,d[c]=g,u=!0}}u&&"object"==typeof e&&e.updateCurrent&&e.updateCurrent(d);for(var m=a.jPath?e.toString():this.readonlyMatcher,v=!1,x=0;x<o;x++){var b=this.resolveNameSpace(s[x][1]);if(!this.ignoreAttributesFn(b,m)){var y=a.attributeNamePrefix+b;if(b.length)if(a.transformAttributeName&&(y=a.transformAttributeName(y)),y=gt(y,a),void 0!==s[x][4]){var E=l[x],N=a.attributeValueProcessor(b,E,m);h[y]=null==N?E:typeof N!=typeof E||N!==E?N:ct(E,a.parseAttributeValue,a.numberParseOptions),v=!0}else a.allowBooleanAttributes&&(h[y]=!0,v=!0)}}if(!v)return;if(a.attributesGroupName&&!a.preserveOrder){var w={};return w[a.attributesGroupName]=h,w}return h}}var it=function(t){t=t.replace(/\r\n?/g,"\n");var e=new f("!xml"),r=e,n="";this.matcher.reset(),this.entityDecoder.reset(),this.entityExpansionCount=0,this.currentExpandedLength=0;for(var i=this.options,a=new N(i.processEntities),s=t.length,o=0;o<s;o++)if("<"===t[o]){var h=t.charCodeAt(o+1);if(47===h){var l=lt(t,">",o,"Closing Tag is not closed."),u=t.substring(o+2,l).trim();if(i.removeNSPrefix){var d=u.indexOf(":");-1!==d&&(u=u.substr(d+1))}u=ft(i.transformTagName,u,"",i).tagName,r&&(n=this.saveTextToParentTag(n,r,this.readonlyMatcher));var p=this.matcher.getCurrentTag();if(u&&i.unpairedTagsSet.has(u))throw new Error("Unpaired tag can not be used as closing tag: </"+u+">");p&&i.unpairedTagsSet.has(p)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,r=this.tagsNodeStack.pop(),n="",o=l}else if(63===h){var c=dt(t,o,!1,"?>");if(!c)throw new Error("Pi Tag is not closed.");n=this.saveTextToParentTag(n,r,this.readonlyMatcher);var g=this.buildAttributesMap(c.tagExp,this.matcher,c.tagName,!0);if(g){var m=g[this.options.attributeNamePrefix+"version"];this.entityDecoder.setXmlVersion(Number(m)||1),a.setXmlVersion(Number(m)||1)}if(i.ignoreDeclaration&&"?xml"===c.tagName||i.ignorePiTags);else{var v=new f(c.tagName);v.add(i.textNodeName,""),c.tagName!==c.tagExp&&c.attrExpPresent&&!0!==i.ignoreAttributes&&(v[":@"]=g),this.addChild(r,v,this.readonlyMatcher,o)}o=c.closeIndex+1}else if(33===h&&45===t.charCodeAt(o+2)&&45===t.charCodeAt(o+3)){var x=lt(t,"--\x3e",o+4,"Comment is not closed.");if(i.commentPropName){var b,y=t.substring(o+4,x-2);n=this.saveTextToParentTag(n,r,this.readonlyMatcher),r.add(i.commentPropName,[(b={},b[i.textNodeName]=y,b)])}o=x}else if(33===h&&68===t.charCodeAt(o+2)){var E=a.readDocType(t,o);this.entityDecoder.addInputEntities(E.entities),o=E.i}else if(33===h&&91===t.charCodeAt(o+2)){var w=lt(t,"]]>",o,"CDATA is not closed.")-2,_=t.substring(o+9,w);n=this.saveTextToParentTag(n,r,this.readonlyMatcher);var S,T=this.parseTextData(_,r.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==T&&(T=""),i.cdataPropName?r.add(i.cdataPropName,[(S={},S[i.textNodeName]=_,S)]):r.add(i.textNodeName,T),o=w+2}else{var C=dt(t,o,i.removeNSPrefix);if(!C){var A=t.substring(Math.max(0,o-50),Math.min(s,o+50));throw new Error("readTagExp returned undefined at position "+o+'. Context: "'+A+'"')}var I=C.tagName,P=C.rawTagName,M=C.tagExp,O=C.attrExpPresent,D=C.closeIndex,V=ft(i.transformTagName,I,M,i);if(I=V.tagName,M=V.tagExp,i.strictReservedNames&&(I===i.commentPropName||I===i.cdataPropName||I===i.textNodeName||I===i.attributesGroupName))throw new Error("Invalid tag name: "+I);r&&n&&"!xml"!==r.tagname&&(n=this.saveTextToParentTag(n,r,this.readonlyMatcher,!1));var k=r;k&&i.unpairedTagsSet.has(k.tagname)&&(r=this.tagsNodeStack.pop(),this.matcher.pop());var $=!1;M.length>0&&M.lastIndexOf("/")===M.length-1&&($=!0,M="/"===I[I.length-1]?I=I.substr(0,I.length-1):M.substr(0,M.length-1),O=I!==M);var j,L=null;j=Q(P),I!==e.tagname&&this.matcher.push(I,{},j),I!==M&&O&&(L=this.buildAttributesMap(M,this.matcher,I))&&K(L,i),I!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode());var F=o;if(this.isCurrentNodeStopNode){var R="";if($)o=C.closeIndex;else if(i.unpairedTagsSet.has(I))o=C.closeIndex;else{var U=this.readStopNodeData(t,P,D+1);if(!U)throw new Error("Unexpected end of "+P);o=U.i,R=U.tagContent}var W=new f(I);L&&(W[":@"]=L),W.add(i.textNodeName,R),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(r,W,this.readonlyMatcher,F)}else{if($){var X=ft(i.transformTagName,I,M,i);I=X.tagName,M=X.tagExp;var Y=new f(I);L&&(Y[":@"]=L),this.addChild(r,Y,this.readonlyMatcher,F),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(i.unpairedTagsSet.has(I)){var z=new f(I);L&&(z[":@"]=L),this.addChild(r,z,this.readonlyMatcher,F),this.matcher.pop(),this.isCurrentNodeStopNode=!1,o=C.closeIndex;continue}var B=new f(I);if(this.tagsNodeStack.length>i.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(r),L&&(B[":@"]=L),this.addChild(r,B,this.readonlyMatcher,F),r=B}n="",o=D}}}else n+=t[o];return e.child};function at(t,e,r,n){this.options.captureMetaData||(n=void 0);var i=this.options.jPath?r.toString():r,a=this.options.updateTag(e.tagname,i,e[":@"]);!1===a||("string"==typeof a?(e.tagname=a,t.addChild(e,n)):t.addChild(e,n))}function st(t,e,r){var n=this.options.processEntities;if(!n||!n.enabled)return t;if(n.allowedTags){var i=this.options.jPath?r.toString():r;if(!(Array.isArray(n.allowedTags)?n.allowedTags.includes(e):n.allowedTags(e,i)))return t}if(n.tagFilter){var a=this.options.jPath?r.toString():r;if(!n.tagFilter(e,a))return t}return this.entityDecoder.decode(t)}function ot(t,e,r,n){return t&&(void 0===n&&(n=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,r,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,n))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function ht(){return 0!==this.stopNodeExpressionsSet.size&&this.matcher.matchesAny(this.stopNodeExpressionsSet)}function lt(t,e,r,n){var i=t.indexOf(e,r);if(-1===i)throw new Error(n);return i+e.length-1}function ut(t,e,r,n){var i=t.indexOf(e,r);if(-1===i)throw new Error(n);return i}function dt(t,e,r,n){void 0===n&&(n=">");var i=function(t,e,r){void 0===r&&(r=">");for(var n=0,i=t.length,a=r.charCodeAt(0),s=r.length>1?r.charCodeAt(1):-1,o="",h=e,l=e;l<i;l++){var u=t.charCodeAt(l);if(n)u===n&&(n=0);else if(34===u||39===u)n=u;else if(u===a){if(-1===s)return{data:o+=t.substring(h,l),index:l};if(t.charCodeAt(l+1)===s)return{data:o+=t.substring(h,l),index:l}}else 9!==u||n||(o+=t.substring(h,l)+" ",h=l+1)}}(t,e+1,n);if(i){var a=i.data,s=i.index,o=a.search(/\s/),h=a,l=!0;-1!==o&&(h=a.substring(0,o),a=a.substring(o+1).trimStart());var u=h;if(r){var d=h.indexOf(":");-1!==d&&(l=(h=h.substr(d+1))!==i.data.substr(d+1))}return{tagName:h,tagExp:a,closeIndex:s,attrExpPresent:l,rawTagName:u}}}function pt(t,e,r){for(var n=r,i=1,a=t.length;r<a;r++)if("<"===t[r]){var s=t.charCodeAt(r+1);if(47===s){var o=ut(t,">",r,e+" is not closed");if(t.substring(r+2,o).trim()===e&&0===--i)return{tagContent:t.substring(n,r),i:o};r=o}else if(63===s)r=lt(t,"?>",r+1,"StopNode is not closed.");else if(33===s&&45===t.charCodeAt(r+2)&&45===t.charCodeAt(r+3))r=lt(t,"--\x3e",r+3,"StopNode is not closed.");else if(33===s&&91===t.charCodeAt(r+2))r=lt(t,"]]>",r,"StopNode is not closed.")-2;else{var h=dt(t,r,!1);h&&((h&&h.tagName)===e&&"/"!==h.tagExp[h.tagExp.length-1]&&i++,r=h.closeIndex)}}}function ct(t,e,r){if(e&&"string"==typeof t){var n=t.trim();return"true"===n||"false"!==n&&function(t,e={}){if(e=Object.assign({},P,e),!t||"string"!=typeof t)return t;let r=t.trim();if(0===r.length)return t;if(void 0!==e.skipLike&&e.skipLike.test(r))return t;if("0"===r)return 0;if(e.hex&&T.test(r))return O(r,16);if(e.binary&&C.test(r))return O(r,2);if(e.octal&&A.test(r))return O(r,8);if(isFinite(r)){if(r.includes("e")||r.includes("E"))return function(t,e,r){if(!r.eNotation)return t;const n=e.match(M);if(n){let i=n[1]||"";const a=-1===n[3].indexOf("e")?"E":"e",s=n[2],o=i?t[s.length+1]===a:t[s.length]===a;return s.length>1&&o?t:(1!==s.length||!n[3].startsWith(`.${a}`)&&n[3][0]!==a)&&s.length>0?r.leadingZeros&&!o?(e=(n[1]||"")+n[3],Number(e)):t:Number(e)}return t}(t,r,e);{const i=I.exec(r);if(i){const a=i[1]||"",s=i[2];let o=(n=i[3])&&-1!==n.indexOf(".")?("."===(n=n.replace(/0+$/,""))?n="0":"."===n[0]?n="0"+n:"."===n[n.length-1]&&(n=n.substring(0,n.length-1)),n):n;const h=a?"."===t[s.length+1]:"."===t[s.length];if(!e.leadingZeros&&(s.length>1||1===s.length&&!h))return t;{const n=Number(r),i=String(n);if(0===n)return n;if(-1!==i.search(/[eE]/))return e.eNotation?n:t;if(-1!==r.indexOf("."))return"0"===i||i===o||i===`${a}${o}`?n:t;let h=s?o:r;return s?h===i||a+h===i?n:t:h===i||h===a+i?n:t}}return t}}var n;return function(t,e,r){const n=e===1/0;switch(r.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return n?"Infinity":"-Infinity";default:return t}}(t,Number(r),e)}(t,r)}return void 0!==t?t:""}function ft(t,e,r,n){if(t){var i=t(e);r===e&&(r=i),e=i}return{tagName:e=gt(e,n),tagExp:r}}function gt(t,e){if(o.includes(t))throw new Error('[SECURITY] Invalid name: "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution');return s.includes(t)?e.onDangerousProperty(t):t}var mt=f.getMetaDataSymbol();function vt(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;var r={};for(var n in t)n.startsWith(e)?r[n.substring(e.length)]=t[n]:r[n]=t[n];return r}function xt(t,e,r,n){return bt(t,e,r,n)}function bt(t,e,r,n){for(var i,a={},s=0;s<t.length;s++){var o=t[s],h=yt(o);if(void 0!==h&&h!==e.textNodeName){var l=vt(o[":@"]||{},e.attributeNamePrefix);r.push(h,l)}if(h===e.textNodeName)void 0===i?i=o[h]:i+=""+o[h];else{if(void 0===h)continue;if(o[h]){var u=bt(o[h],e,r,n),d=Nt(u,e);if(0===Object.keys(u).length&&e.alwaysCreateTextNode&&(u[e.textNodeName]=""),o[":@"]?Et(u,o[":@"],n,e):1!==Object.keys(u).length||void 0===u[e.textNodeName]||e.alwaysCreateTextNode?0===Object.keys(u).length&&(e.alwaysCreateTextNode?u[e.textNodeName]="":u=""):u=u[e.textNodeName],void 0!==o[mt]&&"object"==typeof u&&null!==u&&(u[mt]=o[mt]),void 0!==a[h]&&Object.prototype.hasOwnProperty.call(a,h))Array.isArray(a[h])||(a[h]=[a[h]]),a[h].push(u);else{var p=e.jPath?n.toString():n;e.isArray(h,p,d)?a[h]=[u]:a[h]=u}void 0!==h&&h!==e.textNodeName&&r.pop()}}}return"string"==typeof i?i.length>0&&(a[e.textNodeName]=i):void 0!==i&&(a[e.textNodeName]=i),a}function yt(t){for(var e=Object.keys(t),r=0;r<e.length;r++){var n=e[r];if(":@"!==n)return n}}function Et(t,e,r,n){if(e)for(var i=Object.keys(e),a=i.length,s=0;s<a;s++){var o=i[s],h=o.startsWith(n.attributeNamePrefix)?o.substring(n.attributeNamePrefix.length):o,l=n.jPath?r.toString()+"."+h:r;n.isArray(o,l,!0,!0)?t[o]=[e[o]]:t[o]=e[o]}}function Nt(t,e){var r=e.textNodeName,n=Object.keys(t).length;return 0===n||!(1!==n||!t[r]&&"boolean"!=typeof t[r]&&0!==t[r])}var wt={allowBooleanAttributes:!1,unpairedTags:[]};function _t(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function St(t,e){for(var r=e;e<t.length;e++)if("?"!=t[e]&&" "!=t[e]);else{var n=t.substr(r,e-r);if(e>5&&"xml"===n)return Mt("InvalidXml","XML declaration allowed only at the start of the document.",Vt(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}}return e}function Tt(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e<t.length;e++)if("-"===t[e]&&"-"===t[e+1]&&">"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){var r=1;for(e+=8;e<t.length;e++)if("<"===t[e])r++;else if(">"===t[e]&&0===--r)break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e<t.length;e++)if("]"===t[e]&&"]"===t[e+1]&&">"===t[e+2]){e+=2;break}return e}function Ct(t,e){for(var r="",n="",i=!1;e<t.length;e++){if('"'===t[e]||"'"===t[e])""===n?n=t[e]:n!==t[e]||(n="");else if(">"===t[e]&&""===n){i=!0;break}r+=t[e]}return""===n&&{value:r,index:e,tagClosed:i}}var At=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function It(t,e){for(var r=i(t,At),n={},a=0;a<r.length;a++){if(0===r[a][1].length)return Mt("InvalidAttr","Attribute '"+r[a][2]+"' has no space in starting.",kt(r[a]));if(void 0!==r[a][3]&&void 0===r[a][4])return Mt("InvalidAttr","Attribute '"+r[a][2]+"' is without value.",kt(r[a]));if(void 0===r[a][3]&&!e.allowBooleanAttributes)return Mt("InvalidAttr","boolean attribute '"+r[a][2]+"' is not allowed.",kt(r[a]));var s=r[a][2];if(!Ot(s))return Mt("InvalidAttr","Attribute '"+s+"' is an invalid name.",kt(r[a]));if(Object.prototype.hasOwnProperty.call(n,s))return Mt("InvalidAttr","Attribute '"+s+"' is repeated.",kt(r[a]));n[s]=1}return!0}function Pt(t,e){if(";"===t[++e])return-1;if("#"===t[e])return function(t,e){var r=/\d/;for("x"===t[e]&&(e++,r=/[\da-fA-F]/);e<t.length;e++){if(";"===t[e])return e;if(!t[e].match(r))break}return-1}(t,++e);for(var r=0;e<t.length;e++,r++)if(!(t[e].match(/\w/)&&r<20)){if(";"===t[e])break;return-1}return e}function Mt(t,e,r){return{err:{code:t,msg:e,line:r.line||r,col:r.col}}}function Ot(t){return a(t)}function Dt(t){return a(t)}function Vt(t,e){var r=t.substring(0,e).split(/\r?\n/);return{line:r.length,col:r[r.length-1].length+1}}function kt(t){return t.startIndex+t[1].length}var $t=function(){function t(t){this.externalEntities={},this.options=c(t)}var e=t.prototype;return e.parse=function(t,e){if("string"!=typeof t&&t.toString)t=t.toString();else if("string"!=typeof t)throw new Error("XML data is accepted in String or Bytes[] form.");if(e){!0===e&&(e={});var r=function(t,e){e=Object.assign({},wt,e);var r=[],n=!1,i=!1;"\ufeff"===t[0]&&(t=t.substr(1));for(var a=0;a<t.length;a++)if("<"===t[a]&&"?"===t[a+1]){if((a=St(t,a+=2)).err)return a}else{if("<"!==t[a]){if(_t(t[a]))continue;return Mt("InvalidChar","char '"+t[a]+"' is not expected.",Vt(t,a))}var s=a;if("!"===t[++a]){a=Tt(t,a);continue}var o=!1;"/"===t[a]&&(o=!0,a++);for(var h="";a<t.length&&">"!==t[a]&&" "!==t[a]&&"\t"!==t[a]&&"\n"!==t[a]&&"\r"!==t[a];a++)h+=t[a];if("/"===(h=h.trim())[h.length-1]&&(h=h.substring(0,h.length-1),a--),!Dt(h))return Mt("InvalidTag",0===h.trim().length?"Invalid space after '<'.":"Tag '"+h+"' is an invalid name.",Vt(t,a));var l=Ct(t,a);if(!1===l)return Mt("InvalidAttr","Attributes for '"+h+"' have open quote.",Vt(t,a));var u=l.value;if(a=l.index,"/"===u[u.length-1]){var d=a-u.length,p=It(u=u.substring(0,u.length-1),e);if(!0!==p)return Mt(p.err.code,p.err.msg,Vt(t,d+p.err.line));n=!0}else if(o){if(!l.tagClosed)return Mt("InvalidTag","Closing tag '"+h+"' doesn't have proper closing.",Vt(t,a));if(u.trim().length>0)return Mt("InvalidTag","Closing tag '"+h+"' can't have attributes or invalid starting.",Vt(t,s));if(0===r.length)return Mt("InvalidTag","Closing tag '"+h+"' has not been opened.",Vt(t,s));var c=r.pop();if(h!==c.tagName){var f=Vt(t,c.tagStartPos);return Mt("InvalidTag","Expected closing tag '"+c.tagName+"' (opened in line "+f.line+", col "+f.col+") instead of closing tag '"+h+"'.",Vt(t,s))}0==r.length&&(i=!0)}else{var g=It(u,e);if(!0!==g)return Mt(g.err.code,g.err.msg,Vt(t,a-u.length+g.err.line));if(!0===i)return Mt("InvalidXml","Multiple possible root nodes found.",Vt(t,a));-1!==e.unpairedTags.indexOf(h)||r.push({tagName:h,tagStartPos:s}),n=!0}for(a++;a<t.length;a++)if("<"===t[a]){if("!"===t[a+1]){a=Tt(t,++a);continue}if("?"!==t[a+1])break;if((a=St(t,++a)).err)return a}else if("&"===t[a]){var m=Pt(t,a);if(-1==m)return Mt("InvalidChar","char '&' is not expected.",Vt(t,a));a=m}else if(!0===i&&!_t(t[a]))return Mt("InvalidXml","Extra text at the end",Vt(t,a));"<"===t[a]&&a--}return n?1==r.length?Mt("InvalidTag","Unclosed tag '"+r[0].tagName+"'.",Vt(t,r[0].tagStartPos)):!(r.length>0)||Mt("InvalidXml","Invalid '"+JSON.stringify(r.map(function(t){return t.tagName}),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):Mt("InvalidXml","Start tag expected.",1)}(t,e);if(!0!==r)throw Error(r.err.msg+":"+r.err.line+":"+r.err.col)}var n=new H(this.options,this.externalEntities),i=n.parseXml(t);return this.options.preserveOrder||void 0===i?i:xt(i,this.options,n.matcher,n.readonlyMatcher)},e.addEntity=function(t,e){if(-1!==e.indexOf("&"))throw new Error("Entity value can't have '&'");if(-1!==t.indexOf("&")||-1!==t.indexOf(";"))throw new Error("An entity must be set without '&' and ';'. Eg. use '#xD' for '&#xD;'");if("&"===e)throw new Error("An entity with value '&' is not permitted");this.externalEntities[t]=e},t.getMetaDataSymbol=function(){return f.getMetaDataSymbol()},t}();return e})());
!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.XMLParser=e():t.XMLParser=e()}(this,()=>(()=>{"use strict";var t={d:(e,r)=>{for(var i in r)t.o(r,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:r[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{default:()=>Qt});var r=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+r+"]["+r+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function n(t,e){for(var r=[],i=e.exec(t);i;){var n=[];n.startIndex=e.lastIndex-i[0].length;for(var a=i.length,s=0;s<a;s++)n.push(i[s]);r.push(n),i=e.exec(t)}return r}var a=function(t){return!(null==i.exec(t))},s=["hasOwnProperty","toString","valueOf","__defineGetter__","__defineSetter__","__lookupGetter__","__lookupSetter__"],o=["__proto__","constructor","prototype"],l=function(t){return s.includes(t)?"__"+t:t},c={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0,unicode:!1},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:function(){return!1},commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,entityDecoder:null,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,r){return t},captureMetaData:!1,maxNestedTags:100,strictReservedNames:!0,jPath:!0,onDangerousProperty:l};function p(t,e){if("string"==typeof t){var r=t.toLowerCase();if(s.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution');if(o.some(function(t){return r===t.toLowerCase()}))throw new Error("[SECURITY] Invalid "+e+': "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution')}}function d(t,e){return"boolean"==typeof t?{enabled:t,maxEntitySize:1e4,maxExpansionDepth:1e4,maxTotalExpansions:1/0,maxExpandedLength:1e5,maxEntityCount:1e3,allowedTags:null,tagFilter:null,appliesTo:"all"}:"object"==typeof t&&null!==t?{enabled:!1!==t.enabled,maxEntitySize:Math.max(1,null!=(r=t.maxEntitySize)?r:1e4),maxExpansionDepth:Math.max(1,null!=(i=t.maxExpansionDepth)?i:1e4),maxTotalExpansions:Math.max(1,null!=(n=t.maxTotalExpansions)?n:1/0),maxExpandedLength:Math.max(1,null!=(a=t.maxExpandedLength)?a:1e5),maxEntityCount:Math.max(1,null!=(s=t.maxEntityCount)?s:1e3),allowedTags:null!=(o=t.allowedTags)?o:null,tagFilter:null!=(l=t.tagFilter)?l:null,appliesTo:null!=(c=t.appliesTo)?c:"all"}:d(!0);var r,i,n,a,s,o,l,c}var h,u=function(t){for(var e=Object.assign({},c,t),r=0,i=[{value:e.attributeNamePrefix,name:"attributeNamePrefix"},{value:e.attributesGroupName,name:"attributesGroupName"},{value:e.textNodeName,name:"textNodeName"},{value:e.cdataPropName,name:"cdataPropName"},{value:e.commentPropName,name:"commentPropName"}];r<i.length;r++){var n=i[r],a=n.value,s=n.name;a&&p(a,s)}return null===e.onDangerousProperty&&(e.onDangerousProperty=l),e.processEntities=d(e.processEntities,e.htmlEntities),e.unpairedTagsSet=new Set(e.unpairedTags),e.stopNodes&&Array.isArray(e.stopNodes)&&(e.stopNodes=e.stopNodes.map(function(t){return"string"==typeof t&&t.startsWith("*.")?".."+t.substring(2):t})),e};h="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");var f=function(){function t(t){this.tagname=t,this.child=[],this[":@"]=Object.create(null)}var e=t.prototype;return e.add=function(t,e){var r;"__proto__"===t&&(t="#__proto__"),this.child.push(((r={})[t]=e,r))},e.addChild=function(t,e){var r,i;"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push(((r={})[t.tagname]=t.child,r[":@"]=t[":@"],r)):this.child.push(((i={})[t.tagname]=t.child,i)),void 0!==e&&(this.child[this.child.length-1][h]={startIndex:e})},t.getMetaDataSymbol=function(){return h},t}();const g=":A-Za-z_À-ÖØ-öø-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�",m=":A-Za-z_À-˿Ͱ-ͽͿ-҆҈-῿‌-‍⁰-↏Ⰰ-⿯、-퟿豈-﷏ﷰ-�𐀀-󯿿",v=m+"\\-\\.\\d·̀-ͯ҇‿-⁀",x=(t,e,r="")=>{const i=`[${t.replace(":","")}][${e.replace(":","")}]*`;return{name:new RegExp(`^[${t}][${e}]*$`,r),ncName:new RegExp(`^${i}$`,r),qName:new RegExp(`^${i}(?::${i})?$`,r),nmToken:new RegExp(`^[${e}]+$`,r),nmTokens:new RegExp(`^[${e}]+(?:\\s+[${e}]+)*$`,r)}},b=x(g,g+"\\-\\.\\d·̀-ͯ‿-⁀"),y=x(m,v,"u"),E=(t,{xmlVersion:e="1.0"}={})=>((t="1.0")=>"1.1"===t?y:b)(e).qName.test(t);var w=function(){function t(t,e){this.suppressValidationErr=!t,this.options=t,this.xmlVersion=e||1}var e=t.prototype;return e.setXmlVersion=function(t){void 0===t&&(t=1),this.xmlVersion=t},e.readDocType=function(t,e){var r=Object.create(null),i=0;if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");e+=9;for(var n=1,a=!1,s=!1;e<t.length;e++)if("<"!==t[e]||s)if(">"===t[e]){if(s?"-"===t[e-1]&&"-"===t[e-2]&&(s=!1,n--):n--,0===n)break}else"["===t[e]?a=!0:t[e];else{if(a&&N(t,"!ENTITY",e)){e+=7;var o,l=void 0,c=this.readEntityExp(t,e+1,this.suppressValidationErr);if(o=c[0],l=c[1],e=c[2],-1===l.indexOf("&")){if(!1!==this.options.enabled&&null!=this.options.maxEntityCount&&i>=this.options.maxEntityCount)throw new Error("Entity count ("+(i+1)+") exceeds maximum allowed ("+this.options.maxEntityCount+")");r[o]=l,i++}}else if(a&&N(t,"!ELEMENT",e))e+=8,e=this.readElementExp(t,e+1).index;else if(a&&N(t,"!ATTLIST",e))e+=8;else if(a&&N(t,"!NOTATION",e))e+=9,e=this.readNotationExp(t,e+1,this.suppressValidationErr).index;else{if(!N(t,"!--",e))throw new Error("Invalid DOCTYPE");s=!0}n++}if(0!==n)throw new Error("Unclosed DOCTYPE");return{entities:r,i:e}},e.readEntityExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e])&&'"'!==t[e]&&"'"!==t[e];)e++;var i=t.substring(r,e);if(_(i,{xmlVersion:this.xmlVersion}),e=S(t,e),!this.suppressValidationErr){if("SYSTEM"===t.substring(e,e+6).toUpperCase())throw new Error("External entities are not supported");if("%"===t[e])throw new Error("Parameter entities are not supported")}var n,a=this.readIdentifierVal(t,e,"entity");if(e=a[0],n=a[1],!1!==this.options.enabled&&null!=this.options.maxEntitySize&&n.length>this.options.maxEntitySize)throw new Error('Entity "'+i+'" size ('+n.length+") exceeds maximum allowed size ("+this.options.maxEntitySize+")");return[i,n,--e]},e.readNotationExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);!this.suppressValidationErr&&_(i,{xmlVersion:this.xmlVersion}),e=S(t,e);var n=t.substring(e,e+6).toUpperCase();if(!this.suppressValidationErr&&"SYSTEM"!==n&&"PUBLIC"!==n)throw new Error('Expected SYSTEM or PUBLIC, found "'+n+'"');e+=n.length,e=S(t,e);var a=null,s=null;if("PUBLIC"===n){var o=this.readIdentifierVal(t,e,"publicIdentifier");if(e=o[0],a=o[1],'"'===t[e=S(t,e)]||"'"===t[e]){var l=this.readIdentifierVal(t,e,"systemIdentifier");e=l[0],s=l[1]}}else if("SYSTEM"===n){var c=this.readIdentifierVal(t,e,"systemIdentifier");if(e=c[0],s=c[1],!this.suppressValidationErr&&!s)throw new Error("Missing mandatory system identifier for SYSTEM notation")}return{notationName:i,publicIdentifier:a,systemIdentifier:s,index:--e}},e.readIdentifierVal=function(t,e,r){var i,n=t[e];if('"'!==n&&"'"!==n)throw new Error('Expected quoted string, found "'+n+'"');for(var a=++e;e<t.length&&t[e]!==n;)e++;if(i=t.substring(a,e),t[e]!==n)throw new Error("Unterminated "+r+" value");return[++e,i]},e.readElementExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);if(!this.suppressValidationErr&&!E(i,{xmlVersion:this.xmlVersion}))throw new Error('Invalid element name: "'+i+'"');var n="";if("E"===t[e=S(t,e)]&&N(t,"MPTY",e))e+=4;else if("A"===t[e]&&N(t,"NY",e))e+=2;else if("("===t[e]){for(var a=++e;e<t.length&&")"!==t[e];)e++;if(n=t.substring(a,e),")"!==t[e])throw new Error("Unterminated content model")}else if(!this.suppressValidationErr)throw new Error('Invalid Element Expression, found "'+t[e]+'"');return{elementName:i,contentModel:n.trim(),index:e}},e.readAttlistExp=function(t,e){for(var r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var i=t.substring(r,e);for(_(i,{xmlVersion:this.xmlVersion}),r=e=S(t,e);e<t.length&&!/\s/.test(t[e]);)e++;var n=t.substring(r,e);if(!_(n,{xmlVersion:this.xmlVersion}))throw new Error('Invalid attribute name: "'+n+'"');e=S(t,e);var a="";if("NOTATION"===t.substring(e,e+8).toUpperCase()){if(a="NOTATION","("!==t[e=S(t,e+=8)])throw new Error("Expected '(', found \""+t[e]+'"');e++;for(var s=[];e<t.length&&")"!==t[e];){for(var o=e;e<t.length&&"|"!==t[e]&&")"!==t[e];)e++;var l=t.substring(o,e);if(!_(l=l.trim(),{xmlVersion:this.xmlVersion}))throw new Error('Invalid notation name: "'+l+'"');s.push(l),"|"===t[e]&&(e++,e=S(t,e))}if(")"!==t[e])throw new Error("Unterminated list of notations");e++,a+=" ("+s.join("|")+")"}else{for(var c=e;e<t.length&&!/\s/.test(t[e]);)e++;if(a+=t.substring(c,e),!this.suppressValidationErr&&!["CDATA","ID","IDREF","IDREFS","ENTITY","ENTITIES","NMTOKEN","NMTOKENS"].includes(a.toUpperCase()))throw new Error('Invalid attribute type: "'+a+'"')}e=S(t,e);var p="";if("#REQUIRED"===t.substring(e,e+8).toUpperCase())p="#REQUIRED",e+=8;else if("#IMPLIED"===t.substring(e,e+7).toUpperCase())p="#IMPLIED",e+=7;else{var d=this.readIdentifierVal(t,e,"ATTLIST");e=d[0],p=d[1]}return{elementName:i,attributeName:n,attributeType:a,defaultValue:p,index:e}},t}(),S=function(t,e){for(;e<t.length&&/\s/.test(t[e]);)e++;return e};function N(t,e,r){for(var i=0;i<e.length;i++)if(e[i]!==t[r+i+1])return!1;return!0}function _(t,e){if(E(t,{xmlVersion:e}))return t;throw new Error("Invalid entity name "+t)}const T=[48,1632,1776,2406,2534,2662,2790,2918,3046,3174,3302,3430,3558,3664,3792,3872,4160,4240,6112,6160,6470,6608,6784,6800,6992,7088,7232,7248,65296,120782,120792,120802,120812,120822,66720,68912,69734,69872,69942,70096,70384,70736,70864,71248,71360,71472,71904,72016,72688,72784,73040,73120,73552,92768,92864,93008,123200,123632,124144,125264,130032],A=new Map,C=1632,I=new Uint8Array(63904).fill(255);for(const t of T)for(let e=0;e<10;e++){const r=t+e;r<=65535?I[r-C]=e:A.set(r,e)}const j=new Set([8722,65293,65123]),O=/^[-+]?0x[a-fA-F0-9]+$/,k=/^0b[01]+$/,D=/^0o[0-7]+$/,L=/^([\-\+])?(0*)([0-9]*(\.[0-9]*)?)$/,$={hex:!0,binary:!1,octal:!1,leadingZeros:!0,decimalPoint:".",eNotation:!0,infinity:"original",unicode:!1};function P(t,e={}){if(e=Object.assign({},$,e),!t||"string"!=typeof t)return t;let r=t.trim();if(0===r.length)return t;if(void 0!==e.skipLike&&e.skipLike.test(r))return t;if("0"===r)return 0;if(e.unicode&&(r=function(t){if("string"!=typeof t)return t;const e=t.length;if(0===e)return t;let r=-1;for(let i=0;i<e;i++){const n=t.charCodeAt(i);if(!(n>=48&&n<=57||45===n))if(n<C){if(j.has(n)){r=i;break}}else if(n>=55296&&n<=56319){if(i+1<e){const e=t.charCodeAt(i+1);if(e>=56320&&e<=57343){const t=65536+(n-55296<<10)+(e-56320);if(A.has(t)){r=i;break}}}}else if(255!==I[n-C]||j.has(n)){r=i;break}}if(-1===r)return t;const i=[];r>0&&i.push(t.slice(0,r));for(let n=r;n<e;n++){const r=t.charCodeAt(n);if(r>=48&&r<=57||45===r){i.push(t[n]);continue}if(r<C){i.push(j.has(r)?"-":t[n]);continue}if(r>=55296&&r<=56319){if(n+1<e){const e=t.charCodeAt(n+1);if(e>=56320&&e<=57343){const t=65536+(r-55296<<10)+(e-56320),a=A.get(t);if(void 0!==a){i.push(String.fromCharCode(a+48)),n++;continue}}}i.push(t[n]);continue}if(j.has(r)){i.push("-");continue}const a=I[r-C];i.push(255!==a?String.fromCharCode(a+48):t[n])}return i.join("")}(r),"0"===r))return 0;if(e.hex&&O.test(r))return R(r,16);if(e.binary&&k.test(r))return R(r,2);if(e.octal&&D.test(r))return R(r,8);if(isFinite(r)){if(r.includes("e")||r.includes("E"))return function(t,e,r){if(!r.eNotation)return t;const i=e.match(M);if(i){let n=i[1]||"";const a=-1===i[3].indexOf("e")?"E":"e",s=i[2],o=n?t[s.length+1]===a:t[s.length]===a;return s.length>1&&o?t:(1!==s.length||!i[3].startsWith(`.${a}`)&&i[3][0]!==a)&&s.length>0?r.leadingZeros&&!o?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,r,e);{const n=L.exec(r);if(n){const a=n[1]||"",s=n[2];let o=(i=n[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const l=a?"."===t[s.length+1]:"."===t[s.length];if(!e.leadingZeros&&(s.length>1||1===s.length&&!l))return t;{const i=Number(r),n=String(i);if(0===i)return i;if(-1!==n.search(/[eE]/))return e.eNotation?i:t;if(-1!==r.indexOf("."))return"0"===n||n===o||n===`${a}${o}`?i:t;let l=s?o:r;return s?l===n||a+l===n?i:t:l===n||l===a+n?i:t}}return t}}var i;return function(t,e,r){const i=e===1/0;switch(r.infinity.toLowerCase()){case"null":return null;case"infinity":return e;case"string":return i?"Infinity":"-Infinity";default:return t}}(t,Number(r),e)}const M=/^([-+])?(0*)(\d*(\.\d*)?[eE][-\+]?\d+)$/;function R(t,e){const r=t.trim();if(2!==e&&8!==e||(t=r.substring(2)),parseInt)return parseInt(t,e);if(Number.parseInt)return Number.parseInt(t,e);if(window&&window.parseInt)return window.parseInt(t,e);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}function V(t,e){(null==e||e>t.length)&&(e=t.length);for(var r=0,i=Array(e);r<e;r++)i[r]=t[r];return i}class q{constructor(t){this._matcher=t}get separator(){return this._matcher.separator}getCurrentTag(){const t=this._matcher.path;return t.length>0?t[t.length-1].tag:void 0}getCurrentNamespace(){const t=this._matcher.path;return t.length>0?t[t.length-1].namespace:void 0}getAttrValue(t){const e=this._matcher.path;if(0!==e.length)return e[e.length-1].values?.[t]}hasAttr(t){const e=this._matcher.path;if(0===e.length)return!1;const r=e[e.length-1];return void 0!==r.values&&t in r.values}getPosition(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].position??0}getCounter(){const t=this._matcher.path;return 0===t.length?-1:t[t.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this._matcher.path.length}toString(t,e=!0){return this._matcher.toString(t,e)}toArray(){return this._matcher.path.map(t=>t.tag)}matches(t){return this._matcher.matches(t)}matchesAny(t){return t.matchesAny(this._matcher)}}class U{constructor(t={}){this.separator=t.separator||".",this.path=[],this.siblingStacks=[],this._pathStringCache=null,this._view=new q(this)}push(t,e=null,r=null){this._pathStringCache=null,this.path.length>0&&(this.path[this.path.length-1].values=void 0);const i=this.path.length;this.siblingStacks[i]||(this.siblingStacks[i]=new Map);const n=this.siblingStacks[i],a=r?`${r}:${t}`:t,s=n.get(a)||0;let o=0;for(const t of n.values())o+=t;n.set(a,s+1);const l={tag:t,position:o,counter:s};null!=r&&(l.namespace=r),null!=e&&(l.values=e),this.path.push(l)}pop(){if(0===this.path.length)return;this._pathStringCache=null;const t=this.path.pop();return this.siblingStacks.length>this.path.length+1&&(this.siblingStacks.length=this.path.length+1),t}updateCurrent(t){if(this.path.length>0){const e=this.path[this.path.length-1];null!=t&&(e.values=t)}}getCurrentTag(){return this.path.length>0?this.path[this.path.length-1].tag:void 0}getCurrentNamespace(){return this.path.length>0?this.path[this.path.length-1].namespace:void 0}getAttrValue(t){if(0!==this.path.length)return this.path[this.path.length-1].values?.[t]}hasAttr(t){if(0===this.path.length)return!1;const e=this.path[this.path.length-1];return void 0!==e.values&&t in e.values}getPosition(){return 0===this.path.length?-1:this.path[this.path.length-1].position??0}getCounter(){return 0===this.path.length?-1:this.path[this.path.length-1].counter??0}getIndex(){return this.getPosition()}getDepth(){return this.path.length}toString(t,e=!0){const r=t||this.separator;if(r===this.separator&&!0===e){if(null!==this._pathStringCache)return this._pathStringCache;const t=this.path.map(t=>t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r);return this._pathStringCache=t,t}return this.path.map(t=>e&&t.namespace?`${t.namespace}:${t.tag}`:t.tag).join(r)}toArray(){return this.path.map(t=>t.tag)}reset(){this._pathStringCache=null,this.path=[],this.siblingStacks=[]}matches(t){const e=t.segments;return 0!==e.length&&(t.hasDeepWildcard()?this._matchWithDeepWildcard(e):this._matchSimple(e))}_matchSimple(t){if(this.path.length!==t.length)return!1;for(let e=0;e<t.length;e++)if(!this._matchSegment(t[e],this.path[e],e===this.path.length-1))return!1;return!0}_matchWithDeepWildcard(t){let e=this.path.length-1,r=t.length-1;for(;r>=0&&e>=0;){const i=t[r];if("deep-wildcard"===i.type){if(r--,r<0)return!0;const i=t[r];let n=!1;for(let t=e;t>=0;t--)if(this._matchSegment(i,this.path[t],t===this.path.length-1)){e=t-1,r--,n=!0;break}if(!n)return!1}else{if(!this._matchSegment(i,this.path[e],e===this.path.length-1))return!1;e--,r--}}return r<0}_matchSegment(t,e,r){if("*"!==t.tag&&t.tag!==e.tag)return!1;if(void 0!==t.namespace&&"*"!==t.namespace&&t.namespace!==e.namespace)return!1;if(void 0!==t.attrName){if(!r)return!1;if(!e.values||!(t.attrName in e.values))return!1;if(void 0!==t.attrValue&&String(e.values[t.attrName])!==String(t.attrValue))return!1}if(void 0!==t.position){if(!r)return!1;const i=e.counter??0;if("first"===t.position&&0!==i)return!1;if("odd"===t.position&&i%2!=1)return!1;if("even"===t.position&&i%2!=0)return!1;if("nth"===t.position&&i!==t.positionValue)return!1}return!0}matchesAny(t){return t.matchesAny(this)}snapshot(){return{path:this.path.map(t=>({...t})),siblingStacks:this.siblingStacks.map(t=>new Map(t))}}restore(t){this._pathStringCache=null,this.path=t.path.map(t=>({...t})),this.siblingStacks=t.siblingStacks.map(t=>new Map(t))}readOnly(){return this._view}}class F{constructor(t,e={},r){this.pattern=t,this.separator=e.separator||".",this.segments=this._parse(t),this.data=r,this._hasDeepWildcard=this.segments.some(t=>"deep-wildcard"===t.type),this._hasAttributeCondition=this.segments.some(t=>void 0!==t.attrName),this._hasPositionSelector=this.segments.some(t=>void 0!==t.position)}_parse(t){const e=[];let r=0,i="";for(;r<t.length;)t[r]===this.separator?r+1<t.length&&t[r+1]===this.separator?(i.trim()&&(e.push(this._parseSegment(i.trim())),i=""),e.push({type:"deep-wildcard"}),r+=2):(i.trim()&&e.push(this._parseSegment(i.trim())),i="",r++):(i+=t[r],r++);return i.trim()&&e.push(this._parseSegment(i.trim())),e}_parseSegment(t){const e={type:"tag"};let r=null,i=t;const n=t.match(/^([^\[]+)(\[[^\]]*\])(.*)$/);if(n&&(i=n[1]+n[3],n[2])){const t=n[2].slice(1,-1);t&&(r=t)}let a,s,o=i;if(i.includes("::")){const e=i.indexOf("::");if(a=i.substring(0,e).trim(),o=i.substring(e+2).trim(),!a)throw new Error(`Invalid namespace in pattern: ${t}`)}let l=null;if(o.includes(":")){const t=o.lastIndexOf(":"),e=o.substring(0,t).trim(),r=o.substring(t+1).trim();["first","last","odd","even"].includes(r)||/^nth\(\d+\)$/.test(r)?(s=e,l=r):s=o}else s=o;if(!s)throw new Error(`Invalid segment pattern: ${t}`);if(e.tag=s,a&&(e.namespace=a),r)if(r.includes("=")){const t=r.indexOf("=");e.attrName=r.substring(0,t).trim(),e.attrValue=r.substring(t+1).trim()}else e.attrName=r.trim();if(l){const t=l.match(/^nth\((\d+)\)$/);t?(e.position="nth",e.positionValue=parseInt(t[1],10)):e.position=l}return e}get length(){return this.segments.length}hasDeepWildcard(){return this._hasDeepWildcard}hasAttributeCondition(){return this._hasAttributeCondition}hasPositionSelector(){return this._hasPositionSelector}toString(){return this.pattern}}class X{constructor(){this._byDepthAndTag=new Map,this._wildcardByDepth=new Map,this._deepWildcards=[],this._patterns=new Set,this._sealed=!1}add(t){if(this._sealed)throw new TypeError("ExpressionSet is sealed. Create a new ExpressionSet to add more expressions.");if(this._patterns.has(t.pattern))return this;if(this._patterns.add(t.pattern),t.hasDeepWildcard())return this._deepWildcards.push(t),this;const e=t.length,r=t.segments[t.segments.length-1],i=r?.tag;if(i&&"*"!==i){const r=`${e}:${i}`;this._byDepthAndTag.has(r)||this._byDepthAndTag.set(r,[]),this._byDepthAndTag.get(r).push(t)}else this._wildcardByDepth.has(e)||this._wildcardByDepth.set(e,[]),this._wildcardByDepth.get(e).push(t);return this}addAll(t){for(const e of t)this.add(e);return this}has(t){return this._patterns.has(t.pattern)}get size(){return this._patterns.size}seal(){return this._sealed=!0,this}get isSealed(){return this._sealed}matchesAny(t){return null!==this.findMatch(t)}findMatch(t){const e=t.getDepth(),r=`${e}:${t.getCurrentTag()}`,i=this._byDepthAndTag.get(r);if(i)for(let e=0;e<i.length;e++)if(t.matches(i[e]))return i[e];const n=this._wildcardByDepth.get(e);if(n)for(let e=0;e<n.length;e++)if(t.matches(n[e]))return n[e];for(let e=0;e<this._deepWildcards.length;e++)if(t.matches(this._deepWildcards[e]))return this._deepWildcards[e];return null}}const B={cent:"¢",pound:"£",curren:"¤",yen:"¥",euro:"€",dollar:"$",fnof:"ƒ",inr:"₹",af:"؋",birr:"ብር",peso:"₱",rub:"₽",won:"₩",yuan:"¥",cedil:"¸"},W={amp:"&",apos:"'",gt:">",lt:"<",quot:'"'},Y={nbsp:" ",copy:"©",reg:"®",trade:"™",mdash:"—",ndash:"–",hellip:"…",laquo:"«",raquo:"»",lsquo:"‘",rsquo:"’",ldquo:"“",rdquo:"”",bull:"•",para:"¶",sect:"§",deg:"°",frac12:"½",frac14:"¼",frac34:"¾"},G=Object.freeze({ALLOW:"allow",BLOCK:"block",THROW:"throw"}),H=new Set("!?\\\\/[]$%{}^&*()<>|+");function z(t){if("#"===t[0])throw new Error(`[EntityReplacer] Invalid character '#' in entity name: "${t}"`);for(const e of t)if(H.has(e))throw new Error(`[EntityReplacer] Invalid character '${e}' in entity name: "${t}"`);return t}function Q(...t){const e=Object.create(null);for(const r of t)if(r)for(const t of Object.keys(r)){const i=r[t];if("string"==typeof i)e[t]=i;else if(i&&"object"==typeof i&&void 0!==i.val){const r=i.val;"string"==typeof r&&(e[t]=r)}}return e}const J="external",Z="base",K="all",tt=Object.freeze({allow:0,leave:1,remove:2,throw:3}),et=new Set([9,10,13]);class rt{constructor(t={}){var e;this._limit=t.limit||{},this._maxTotalExpansions=this._limit.maxTotalExpansions||0,this._maxExpandedLength=this._limit.maxExpandedLength||0,this._postCheck="function"==typeof t.postCheck?t.postCheck:t=>t,this._limitTiers=(e=this._limit.applyLimitsTo??J)&&e!==J?e===K?new Set([K]):e===Z?new Set([Z]):Array.isArray(e)?new Set(e):new Set([J]):new Set([J]),this._numericAllowed=t.numericAllowed??!0,this._baseMap=Q(W,t.namedEntities||null),this._externalMap=Object.create(null),this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this._removeSet=new Set(t.remove&&Array.isArray(t.remove)?t.remove:[]),this._leaveSet=new Set(t.leave&&Array.isArray(t.leave)?t.leave:[]);const r=function(t){if(!t)return{xmlVersion:1,onLevel:tt.allow,nullLevel:tt.remove};const e=1.1===t.xmlVersion?1.1:1,r=tt[t.onNCR]??tt.allow,i=tt[t.nullNCR]??tt.remove;return{xmlVersion:e,onLevel:r,nullLevel:Math.max(i,tt.remove)}}(t.ncr);this._ncrXmlVersion=r.xmlVersion,this._ncrOnLevel=r.onLevel,this._ncrNullLevel=r.nullLevel,this._onExternalEntity="function"==typeof t.onExternalEntity?t.onExternalEntity:null,this._onInputEntity="function"==typeof t.onInputEntity?t.onInputEntity:null}_applyRegistrationHook(t,e,r,i){if(!t)return!0;const n=t(e,r);if(n===G.BLOCK)return!1;if(n===G.THROW)throw new Error(`[EntityDecoder] Registration of ${i} entity "&${e};" was rejected by hook`);return!0}setExternalEntities(t){if(t)for(const e of Object.keys(t))z(e);if(!this._onExternalEntity)return void(this._externalMap=Q(t));const e=Q(t),r=Object.create(null);for(const[t,i]of Object.entries(e))this._applyRegistrationHook(this._onExternalEntity,t,i,"external")&&(r[t]=i);this._externalMap=r}addExternalEntity(t,e){z(t),"string"==typeof e&&-1===e.indexOf("&")&&this._applyRegistrationHook(this._onExternalEntity,t,e,"external")&&(this._externalMap[t]=e)}addInputEntities(t){if(this._totalExpansions=0,this._expandedLength=0,!this._onInputEntity)return void(this._inputMap=Q(t));const e=Q(t),r=Object.create(null);for(const[t,i]of Object.entries(e))this._applyRegistrationHook(this._onInputEntity,t,i,"input")&&(r[t]=i);this._inputMap=r}reset(){return this._inputMap=Object.create(null),this._totalExpansions=0,this._expandedLength=0,this}setXmlVersion(t){this._ncrXmlVersion=1.1===t?1.1:1}decode(t){if("string"!=typeof t||0===t.length)return t;if(-1===t.indexOf("&"))return t;const e=t,r=[],i=t.length;let n=0,a=0;const s=this._maxTotalExpansions>0,o=this._maxExpandedLength>0,l=s||o;for(;a<i;){if(38!==t.charCodeAt(a)){a++;continue}let e=a+1;for(;e<i&&59!==t.charCodeAt(e)&&e-a<=32;)e++;if(e>=i||59!==t.charCodeAt(e)){a++;continue}const c=t.slice(a+1,e);if(0===c.length){a++;continue}let p,d;if(this._removeSet.has(c))p="",void 0===d&&(d=J);else{if(this._leaveSet.has(c)){a++;continue}if(35===c.charCodeAt(0)){const t=this._resolveNCR(c);if(void 0===t){a++;continue}p=t,d=Z}else{const t=this._resolveName(c);p=t?.value,d=t?.tier}}if(void 0!==p){if(a>n&&r.push(t.slice(n,a)),r.push(p),n=e+1,a=n,l&&this._tierCounts(d)){if(s&&(this._totalExpansions++,this._totalExpansions>this._maxTotalExpansions))throw new Error(`[EntityReplacer] Entity expansion count limit exceeded: ${this._totalExpansions} > ${this._maxTotalExpansions}`);if(o){const t=p.length-(c.length+2);if(t>0&&(this._expandedLength+=t,this._expandedLength>this._maxExpandedLength))throw new Error(`[EntityReplacer] Expanded content length limit exceeded: ${this._expandedLength} > ${this._maxExpandedLength}`)}}}else a++}n<i&&r.push(t.slice(n));const c=0===r.length?t:r.join("");return this._postCheck(c,e)}_tierCounts(t){return!!this._limitTiers.has(K)||this._limitTiers.has(t)}_resolveName(t){return t in this._inputMap?{value:this._inputMap[t],tier:J}:t in this._externalMap?{value:this._externalMap[t],tier:J}:t in this._baseMap?{value:this._baseMap[t],tier:Z}:void 0}_classifyNCR(t){return 0===t?this._ncrNullLevel:t>=55296&&t<=57343||1===this._ncrXmlVersion&&t>=1&&t<=31&&!et.has(t)?tt.remove:-1}_applyNCRAction(t,e,r){switch(t){case tt.allow:return String.fromCodePoint(r);case tt.remove:return"";case tt.leave:return;case tt.throw:throw new Error(`[EntityDecoder] Prohibited numeric character reference &${e}; (U+${r.toString(16).toUpperCase().padStart(4,"0")})`);default:return String.fromCodePoint(r)}}_resolveNCR(t){const e=t.charCodeAt(1);let r;if(r=120===e||88===e?parseInt(t.slice(2),16):parseInt(t.slice(1),10),Number.isNaN(r)||r<0||r>1114111)return;const i=this._classifyNCR(r);if(!this._numericAllowed&&i<tt.remove)return;const n=-1===i?this._ncrOnLevel:Math.max(this._ncrOnLevel,i);return this._applyNCRAction(n,t,r)}}const it=[{id:"sql-block-comment-open",description:"SQL block comment open: /* ... */ — unusual in legitimate user text",pattern:/\/\*/},{id:"sql-union-select",description:"UNION SELECT — most common SQL injection aggregation attack",pattern:/\bUNION\s{1,20}(?:ALL\s{1,20})?SELECT\b/i},{id:"sql-drop-table",description:"DROP TABLE — destructive DDL injection",pattern:/\bDROP\s{1,20}TABLE\b/i},{id:"sql-drop-database",description:"DROP DATABASE — destructive DDL injection",pattern:/\bDROP\s{1,20}DATABASE\b/i},{id:"sql-insert-into",description:"INSERT INTO — data injection",pattern:/\bINSERT\s{1,20}INTO\b/i},{id:"sql-delete-from",description:"DELETE FROM — data deletion injection",pattern:/\bDELETE\s{1,20}FROM\b/i},{id:"sql-update-set",description:"UPDATE ... SET — data modification injection",pattern:/\bUPDATE\b[\s\S]{1,60}\bSET\b/i},{id:"sql-exec-xp",description:"EXEC xp_ — MSSQL extended stored procedure execution",pattern:/\bEXEC(?:UTE)?\s{1,20}xp_/i},{id:"sql-tautology-string",description:'Classic string tautology: \' OR \'1\'=\'1 or " OR "1"="1"',pattern:/'\s{0,10}OR\s{0,10}'[^']{0,20}'\s*=\s*'[^']{0,20}/i},{id:"sql-tautology-numeric",description:"Numeric tautology: OR 1=1",pattern:/\bOR\s{1,10}1\s*=\s*1\b/i},{id:"sql-always-true-zero",description:"Numeric tautology: OR 0=0",pattern:/\bOR\s{1,10}0\s*=\s*0\b/i},{id:"sql-sleep-benchmark",description:"Time-based blind injection: SLEEP() or BENCHMARK()",pattern:/\b(?:SLEEP|BENCHMARK)\s*\(/i},{id:"sql-waitfor-delay",description:"MSSQL time-based blind injection: WAITFOR DELAY",pattern:/\bWAITFOR\s{1,20}DELAY\b/i},{id:"sql-char-function",description:"CHAR() function — used to obfuscate injected strings",pattern:/\bCHAR\s*\(\s*\d{1,3}/i},{id:"sql-information-schema",description:"INFORMATION_SCHEMA — reconnaissance query for table/column enumeration",pattern:/\bINFORMATION_SCHEMA\b/i}],nt="[\"'\\s]*:",at={HTML:[{id:"html-script-open",description:"<script opening tag",pattern:/<script[\s>/]/i},{id:"html-script-close",description:"<\/script closing tag",pattern:/<\/script[\s>]/i},{id:"html-javascript-protocol",description:"javascript: URI scheme (with optional whitespace/encoding)",pattern:/j[\t\n\r ]*a[\t\n\r ]*v[\t\n\r ]*a[\t\n\r ]*s[\t\n\r ]*c[\t\n\r ]*r[\t\n\r ]*i[\t\n\r ]*p[\t\n\r ]*t[\t\n\r ]*:/i},{id:"html-vbscript-protocol",description:"vbscript: URI scheme",pattern:/vbscript[\t\n\r ]*:/i},{id:"html-data-html",description:"data:text/html URI — can execute scripts in browsers",pattern:/data[\t\n\r ]*:[\t\n\r ]*text\/html/i},{id:"html-data-xhtml",description:"data:application/xhtml+xml URI",pattern:/data[\t\n\r ]*:[\t\n\r ]*application\/xhtml/i},{id:"html-data-svg",description:"data:image/svg+xml URI — can execute scripts",pattern:/data[\t\n\r ]*:[\t\n\r ]*image\/svg\+xml/i},{id:"html-inline-event-handler",description:"Inline event handler attributes: onclick=, onerror=, onload=, etc.",pattern:/\bon\w{1,30}\s*=/i},{id:"html-entity-obfuscated-script",description:"HTML-entity-encoded <script (e.g. &#x3C;script or &lt;script)",pattern:/(?:&#x0*3[Cc];?|&#0*60;?|&lt;)\s*script/i},{id:"html-entity-obfuscated-javascript",description:'HTML-entity-encoded javascript: (partial — catches common &#106; or &#x6a; for "j")',pattern:/(?:&#x0*6[Aa];?|&#0*106;?)\s*(?:&#x0*61;?|a)[\s\S]{0,80}script\s*:/i},{id:"html-style-expression",description:"CSS expression() — IE-era code execution in style attributes",pattern:/style[\s\S]{0,20}expression\s*\(/i},{id:"html-object-embed",description:"<object or <embed tags that can load active content",pattern:/<(?:object|embed)[\s>/]/i},{id:"html-base-tag",description:"<base href= — can hijack all relative URLs on a page",pattern:/<base[\s>]/i},{id:"html-meta-refresh",description:'<meta http-equiv="refresh" — can redirect users',pattern:/<meta[\s\S]{0,40}http-equiv[\s\S]{0,20}refresh/i},{id:"html-srcdoc",description:"srcdoc= attribute on iframes — embeds HTML that can run scripts",pattern:/srcdoc\s*=/i},{id:"html-iframe",description:"<iframe tag",pattern:/<iframe[\s>/]/i},{id:"html-form",description:"<form tag — can be used for phishing / credential harvesting injection",pattern:/<form[\s>/]/i}],XML:[{id:"xml-cdata-injection",description:"CDATA section injection: <![CDATA[ breaks out of text node context",pattern:/<!\[CDATA\[/i},{id:"xml-cdata-close",description:"CDATA close sequence: ]]> can terminate an enclosing CDATA section",pattern:/\]\]>/},{id:"xml-processing-instruction",description:"XML processing instruction: <?xml-stylesheet or <?php etc.",pattern:/<\?(?:xml[\- ]|php|asp)/i},{id:"xml-doctype-injection",description:"DOCTYPE declaration embedded in content — can define entities",pattern:/<!DOCTYPE(?:[\s[]|$)/i},{id:"xml-entity-system",description:"SYSTEM keyword — used in external entity declarations (XXE)",pattern:/\bSYSTEM\s+["']/i},{id:"xml-entity-public",description:"PUBLIC keyword — used in external entity declarations (XXE)",pattern:/\bPUBLIC\s+["']/i},{id:"xml-entity-declaration",description:"<!ENTITY declaration — defines entities, potential XXE or entity expansion",pattern:/<!ENTITY[\s%]/i},{id:"xml-billion-laughs",description:"Entity reference chaining / billion laughs: repeated &eX; style references",pattern:/(?:&\w{1,20};){3,}/},{id:"xml-namespace-confusion",description:"xmlns: attribute injection — can redefine namespaces to confuse parsers",pattern:/\bxmlns\s*(?::\w{1,40})?\s*=/i},{id:"xml-comment-injection",description:"\x3c!-- comment injection — can hide content from some parsers",pattern:/<!--/},{id:"xml-comment-close",description:"--\x3e closes an enclosing XML comment",pattern:/-->/},{id:"xml-pi-close",description:"?> closes an enclosing processing instruction",pattern:/\?>/}],SVG:[{id:"svg-script-element",description:"<script element inside SVG executes JavaScript",pattern:/<script[\s>/]/i},{id:"svg-xlink-href-javascript",description:"xlink:href with javascript: — classic SVG XSS via <a> or <use>",pattern:/xlink\s*:\s*href\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-href-javascript",description:"href= with javascript: in SVG context (<a>, <animate>, etc.)",pattern:/href\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-foreignobject",description:"<foreignObject embeds HTML inside SVG — can execute scripts",pattern:/<foreignObject[\s>/]/i},{id:"svg-use-external",description:"<use xlink:href or href pointing to external resource (non-fragment URL)",pattern:/<use[\s\S]{0,60}(?:xlink\s*:\s*)?href\s*=\s*(?:["'][^#]|[^"'#\s>])/i},{id:"svg-animate-href",description:'<animate attributeName="href" — can dynamically change href to javascript:',pattern:/<animate[\s\S]{0,80}attributeName\s*=\s*["'][\s]*href["']/i},{id:"svg-animate-xlinkhref",description:'<animate attributeName="xlink:href"',pattern:/<animate[\s\S]{0,80}attributeName\s*=\s*["'][\s]*xlink\s*:\s*href["']/i},{id:"svg-set-javascript",description:'<set to="javascript:..." — sets an attribute to a javascript: URI',pattern:/<set[\s\S]{0,80}to\s*=\s*["']?\s*javascript\s*:/i},{id:"svg-event-handler",description:"SVG-specific event handler attributes: onload=, onerror=, onactivate=, etc.",pattern:/\bon(?:load|error|activate|begin|end|repeat|focus|blur|click|mouse\w{1,20}|key\w{1,20})\s*=/i},{id:"svg-handler-generic",description:"Generic on* handler catch-all for SVG attributes",pattern:/\bon\w{1,30}\s*=/i},{id:"svg-filter-feimage",description:"<feImage href= — filter primitive that can load external resources",pattern:/<feImage[\s\S]{0,80}(?:xlink\s*:\s*)?href\s*=/i},{id:"svg-image-external",description:"<image xlink:href with http/https or javascript protocol",pattern:/<image[\s\S]{0,80}(?:xlink\s*:\s*)?href\s*=\s*["']?\s*(?:https?|javascript)\s*:/i},{id:"svg-style-javascript",description:"style= attribute containing javascript: (e.g. background:url(javascript:...))",pattern:/style\s*=[\s\S]{0,60}javascript\s*:/i}],SQL:it,"SQL-STRICT":[...it,{id:"sql-line-comment",description:"SQL line comment: -- followed by whitespace or end of string",pattern:/--(?:\s|$)/},{id:"sql-stacked-query",description:"Stacked queries: semicolon immediately followed by a SQL keyword",pattern:/;\s{0,10}(?:SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC)\b/i},{id:"sql-hex-encoding",description:"Hex-encoded string injection: 0x41414141 style (MySQL)",pattern:/\b0x[0-9a-f]{4,}/i}],SHELL:[{id:"shell-path-traversal-unix",description:"Unix path traversal: ../ — climbing the directory tree",pattern:/\.\.\//},{id:"shell-path-traversal-windows",description:"Windows path traversal: ..\\ — climbing the directory tree",pattern:/\.\.\\/},{id:"shell-path-traversal-encoded",description:"URL-encoded path traversal: %2e%2e or %2f variants",pattern:/%2e%2e|%2f\.\.|\.\.%2f/i},{id:"shell-null-byte",description:"Null byte injection: \\x00 or %00 — truncates strings in C-backed functions",pattern:/\x00|%00/},{id:"shell-semicolon",description:"Semicolon command separator: cmd1; cmd2",pattern:/;/},{id:"shell-pipe",description:"Pipe operator: cmd1 | cmd2",pattern:/\|/},{id:"shell-and-operator",description:"AND operator: cmd1 && cmd2",pattern:/&&/},{id:"shell-or-operator",description:"OR operator: cmd1 || cmd2",pattern:/\|\|/},{id:"shell-backtick",description:"Backtick command substitution: `cmd`",pattern:/`/},{id:"shell-dollar-paren",description:"Dollar-paren command substitution: $(cmd)",pattern:/\$\(/},{id:"shell-dollar-brace",description:"Dollar-brace variable expansion: ${var} — can be abused for injection",pattern:/\$\{/},{id:"shell-redirect-out",description:"Output redirection: cmd > file or cmd >> file",pattern:/>{1,2}/},{id:"shell-redirect-in",description:"Input redirection: cmd < file",pattern:/</},{id:"shell-newline-injection",description:"Newline injection: \\n or \\r — can inject new shell commands",pattern:/[\n\r]/},{id:"shell-glob-star",description:"Glob expansion: * or ? — can expand to unintended files",pattern:/[/\\][*?]/},{id:"shell-absolute-root",description:"Absolute root path injection: string starting with / or \\ (Windows UNC)",pattern:/^(?:\/|\\\\)/},{id:"shell-windows-drive",description:"Windows drive letter path injection: C:\\ or D:/",pattern:/^[a-zA-Z]:[/\\]/},{id:"shell-curl-wget",description:"curl/wget with URL or flags — can exfiltrate data or download payloads",pattern:/\b(?:curl|wget)\s+(?:https?:\/\/|ftp:\/\/|-)/i}],REDOS:[{id:"redos-nested-quantifier-plus",description:"Nested + quantifier inside a group with outer quantifier: (a+)+, (.+b)*, etc.",pattern:/\([^)]*\+[^)]*\)[+*]/},{id:"redos-nested-quantifier-star",description:"Nested * quantifier: (a*)* or (a*)+ — catastrophic backtracking",pattern:/\([^)]*\*[^)]*\)[*+]/},{id:"redos-nested-groups",description:"Doubly nested quantified groups: ((a+)+) — guaranteed catastrophic",pattern:/\(\([^)]{0,40}\)[+*]\)[+*]/},{id:"redos-alternation-overlap",description:"Overlapping alternation under quantifier: (a|a)+ — ambiguous NFA paths",pattern:/\(([^|()]{1,20})\|(?:\1)(?:\|[^|()]{1,20}){0,5}\)[+*?]{1,2}/},{id:"redos-star-plus-concat",description:"(x*x)+ pattern — triggers super-linear backtracking",pattern:/\([^)]{0,10}\*[^)]{0,10}\)[+*]/},{id:"redos-dot-star-greedy",description:"(.*){n,} or (.+){n,} — repeated greedy dot quantifiers",pattern:/\(\.[*+]\)\{?\d/},{id:"redos-large-repetition",description:"Very large fixed or range repetition count {1000,} or {1000,n} — denial of service via backtracking",pattern:/\{\d{4,}(?:,\d*)?\}/},{id:"redos-catastrophic-alternation",description:"Long alternation with many similar branches — polynomial backtracking risk",pattern:/\([^)]{0,200}(?:\|[^|)]{0,50}){9,}\)/}],NOSQL:[{id:"nosql-where-operator",description:"$where — executes arbitrary JavaScript server-side in MongoDB",pattern:new RegExp(`\\$where${nt}`,"i")},{id:"nosql-ne-operator",description:'$ne — "not equal" operator used to bypass equality checks',pattern:new RegExp(`\\$ne${nt}`,"i")},{id:"nosql-gt-operator",description:'$gt — "greater than" used to bypass password/value checks',pattern:new RegExp(`\\$gte?${nt}`,"i")},{id:"nosql-lt-operator",description:'$lt / $lte — "less than" bypass variants',pattern:new RegExp(`\\$lte?${nt}`,"i")},{id:"nosql-regex-operator",description:"$regex — can be used to extract data character by character (blind injection)",pattern:new RegExp(`\\$regex${nt}`,"i")},{id:"nosql-or-operator",description:"$or — logical OR; used to create always-true conditions",pattern:new RegExp(`\\$or${nt}\\s*\\[`,"i")},{id:"nosql-and-operator",description:"$and — logical AND operator injection",pattern:new RegExp(`\\$and${nt}\\s*\\[`,"i")},{id:"nosql-nor-operator",description:"$nor — logical NOR operator injection",pattern:new RegExp(`\\$nor${nt}\\s*\\[`,"i")},{id:"nosql-exists-operator",description:"$exists — can enumerate fields to determine schema",pattern:new RegExp(`\\$exists${nt}`,"i")},{id:"nosql-in-operator",description:"$in — matches any value in a list; can enumerate values",pattern:new RegExp(`\\$in${nt}\\s*\\[`,"i")},{id:"nosql-expr-operator",description:"$expr — allows aggregation expressions in queries (MongoDB 3.6+)",pattern:new RegExp(`\\$expr${nt}`,"i")},{id:"nosql-function-operator",description:"$function — executes arbitrary JavaScript in MongoDB 4.4+",pattern:new RegExp(`\\$function${nt}`,"i")},{id:"nosql-accumulator-operator",description:"$accumulator — custom aggregation with arbitrary JS execution",pattern:new RegExp(`\\$accumulator${nt}`,"i")},{id:"nosql-proto-pollution",description:"__proto__ — prototype pollution via object key injection",pattern:/__proto__/},{id:"nosql-constructor-prototype",description:"constructor.prototype — alternative prototype pollution vector (dot notation or JSON key)",pattern:/constructor[\s"':.,{\[]*prototype/i},{id:"nosql-proto-bracket",description:'["__proto__"] — bracket-notation prototype pollution',pattern:/\[["']__proto__["']\]/}],LOG:[{id:"log-crlf-injection",description:"CRLF injection: literal \\r or \\n embeds fake log lines",pattern:/[\r\n]/},{id:"log-url-encoded-crlf",description:"URL-encoded CRLF: %0d, %0a, %0D, %0A — decoded by some log parsers",pattern:/%0[dDaA]/},{id:"log-unicode-newline",description:"Unicode newline variants: U+2028 (line separator), U+2029 (paragraph separator)",pattern:/[\u2028\u2029]/},{id:"log-log4shell-jndi",description:"Log4Shell: ${jndi:...} triggers remote code execution in Apache Log4j",pattern:/\$\{jndi\s*:/i},{id:"log-log4shell-obfuscated",description:"Obfuscated Log4Shell: ${::-j}... lookup-bypass prefix used to evade WAF detection",pattern:/\$\{::-/},{id:"log-log4j-lookup",description:"Log4j lookup syntax: ${env:...}, ${sys:...}, ${ctx:...} — data exfiltration",pattern:/\$\{(?:env|sys|ctx|main|map|sd|web|docker|k8s|spring)\s*:/i},{id:"log-ssti-double-brace",description:"SSTI double-brace: {{expression}} — Jinja2, Twig, Handlebars, etc.",pattern:/\{\{[\s\S]{0,80}\}\}/},{id:"log-ssti-hash-brace",description:"SSTI hash-brace: #{expression} — Thymeleaf, Velocity, Ruby ERB",pattern:/#\{[\s\S]{0,80}\}/},{id:"log-ssti-dollar-brace",description:"SSTI/EL injection: ${expression with operators or method calls} — JSP EL, Freemarker, SpEL",pattern:/\$\{[^}]*(?:\.|\(|\*|\+|\bclass\b|\bruntime\b|\bprocess\b|\bexec\b)[^}]{0,80}\}/i},{id:"log-ssti-percent-tag",description:"SSTI ERB/ASP tag: <%= expression %> — Ruby ERB, ASP",pattern:/<%=[\s\S]{0,80}%>/},{id:"log-null-byte",description:"Null byte: \\x00 or %00 — can truncate log entries in C-backed loggers",pattern:/\x00|%00/},{id:"log-ansi-escape",description:"ANSI escape sequence: ESC[ — can manipulate terminal output when logs are tailed",pattern:/\x1b\[/}]},st=at,ot=Object.freeze(Object.fromEntries(Object.keys(at).map(t=>[t,t])));function lt(t,e){const r=st[e];for(const i of r)if(i.pattern.test(t))return{context:e,id:i.id,description:i.description,pattern:i.pattern};return null}function ct(t,e){if(function(t){if("string"!=typeof t)throw new TypeError("is-unsafe: first argument must be a string, got "+typeof t)}(t),function(t){if(!(t instanceof RegExp))if("string"!=typeof t){if(!Array.isArray(t))throw new TypeError("is-unsafe: second argument must be a context string, array of context strings, or RegExp. Got: "+typeof t);if(0===t.length)throw new TypeError("is-unsafe: context array must not be empty");for(const e of t)if("string"!=typeof e||!st[e])throw new TypeError(`is-unsafe: unknown context "${e}" in array. Valid contexts: ${Object.keys(ot).join(", ")}`)}else if(!st[t])throw new TypeError(`is-unsafe: unknown context "${t}". Valid contexts: ${Object.keys(ot).join(", ")}`)}(e),e instanceof RegExp)return e.test(t);if("string"==typeof e)return null!==lt(t,e);for(const r of e)if(null!==lt(t,r))return!0;return!1}function pt(){return pt=Object.assign?Object.assign.bind():function(t){for(var e=1;e<arguments.length;e++){var r=arguments[e];for(var i in r)({}).hasOwnProperty.call(r,i)&&(t[i]=r[i])}return t},pt.apply(null,arguments)}function dt(t,e){if(!t)return{};var r=e.attributesGroupName?t[e.attributesGroupName]:t;if(!r)return{};var i={};for(var n in r)n.startsWith(e.attributeNamePrefix)?i[n.substring(e.attributeNamePrefix.length)]=r[n]:i[n]=r[n];return i}function ht(t){if(t&&"string"==typeof t){var e=t.indexOf(":");if(-1!==e&&e>0){var r=t.substring(0,e);if("xmlns"!==r)return r}}}var ut=function(t,e){var r;this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.parseXml=xt,this.parseTextData=ft,this.resolveNameSpace=gt,this.buildAttributesMap=vt,this.isItStopNode=wt,this.replaceEntitiesValue=yt,this.readStopNodeData=Tt,this.saveTextToParentTag=Et,this.addChild=bt,this.ignoreAttributesFn="function"==typeof(r=this.options.ignoreAttributes)?r:Array.isArray(r)?function(t){for(var e,i=function(t,e){var r="undefined"!=typeof Symbol&&t[Symbol.iterator]||t["@@iterator"];if(r)return(r=r.call(t)).next.bind(r);if(Array.isArray(t)||(r=function(t,e){if(t){if("string"==typeof t)return V(t,e);var r={}.toString.call(t).slice(8,-1);return"Object"===r&&t.constructor&&(r=t.constructor.name),"Map"===r||"Set"===r?Array.from(t):"Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r)?V(t,e):void 0}}(t))||e&&t&&"number"==typeof t.length){r&&(t=r);var i=0;return function(){return i>=t.length?{done:!0}:{done:!1,value:t[i++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}(r);!(e=i()).done;){var n=e.value;if("string"==typeof n&&t===n)return!0;if(n instanceof RegExp&&n.test(t))return!0}}:function(){return!1},this.entityExpansionCount=0,this.currentExpandedLength=0;var i=pt({},W);this.options.entityDecoder?this.entityDecoder=this.options.entityDecoder:("object"==typeof this.options.htmlEntities?i=this.options.htmlEntities:!0===this.options.htmlEntities&&(i=pt({},Y,B)),this.entityDecoder=new rt({namedEntities:pt({},i,e),numericAllowed:this.options.htmlEntities,limit:{maxTotalExpansions:this.options.processEntities.maxTotalExpansions,maxExpandedLength:this.options.processEntities.maxExpandedLength,applyLimitsTo:this.options.processEntities.appliesTo},onInputEntity:function(t,e){return ct(e,[ot.HTML,ot.XML])?G.BLOCK:G.ALLOW}})),this.matcher=new U,this.readonlyMatcher=this.matcher.readOnly(),this.isCurrentNodeStopNode=!1,this.stopNodeExpressionsSet=new X;var n=this.options.stopNodes;if(n&&n.length>0){for(var a=0;a<n.length;a++){var s=n[a];"string"==typeof s?this.stopNodeExpressionsSet.add(new F(s)):s instanceof F&&this.stopNodeExpressionsSet.add(s)}this.stopNodeExpressionsSet.seal()}};function ft(t,e,r,i,n,a,s){var o=this.options;if(void 0!==t&&(o.trimValues&&!i&&(t=t.trim()),t.length>0)){s||(t=this.replaceEntitiesValue(t,e,r));var l=o.jPath?r.toString():r,c=o.tagValueProcessor(e,t,l,n,a);return null==c?t:typeof c!=typeof t||c!==t?c:o.trimValues||t.trim()===t?At(t,o.parseTagValue,o.numberParseOptions):t}}function gt(t){if(this.options.removeNSPrefix){var e=t.split(":"),r="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=r+e[1])}return t}var mt=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function vt(t,e,r,i){void 0===i&&(i=!1);var a=this.options;if(!0===i||!0!==a.ignoreAttributes&&"string"==typeof t){for(var s=n(t,mt),o=s.length,l={},c=new Array(o),p=!1,d={},h=0;h<o;h++){var u=this.resolveNameSpace(s[h][1]),f=s[h][4];if(u.length&&void 0!==f){var g=f;a.trimValues&&(g=g.trim()),g=this.replaceEntitiesValue(g,r,this.readonlyMatcher),c[h]=g,d[u]=g,p=!0}}p&&"object"==typeof e&&e.updateCurrent&&e.updateCurrent(d);for(var m=a.jPath?e.toString():this.readonlyMatcher,v=!1,x=0;x<o;x++){var b=this.resolveNameSpace(s[x][1]);if(!this.ignoreAttributesFn(b,m)){var y=a.attributeNamePrefix+b;if(b.length)if(a.transformAttributeName&&(y=a.transformAttributeName(y)),y=It(y,a),void 0!==s[x][4]){var E=c[x],w=a.attributeValueProcessor(b,E,m);l[y]=null==w?E:typeof w!=typeof E||w!==E?w:At(E,a.parseAttributeValue,a.numberParseOptions),v=!0}else a.allowBooleanAttributes&&(l[y]=!0,v=!0)}}if(!v)return;if(a.attributesGroupName&&!a.preserveOrder){var S={};return S[a.attributesGroupName]=l,S}return l}}var xt=function(t){t=t.replace(/\r\n?/g,"\n");var e=new f("!xml"),r=e,i="";this.matcher.reset(),this.entityDecoder.reset(),this.entityExpansionCount=0,this.currentExpandedLength=0;for(var n=this.options,a=new w(n.processEntities),s=t.length,o=0;o<s;o++)if("<"===t[o]){var l=t.charCodeAt(o+1);if(47===l){var c=St(t,">",o,"Closing Tag is not closed."),p=t.substring(o+2,c).trim();if(n.removeNSPrefix){var d=p.indexOf(":");-1!==d&&(p=p.substr(d+1))}p=Ct(n.transformTagName,p,"",n).tagName,r&&(i=this.saveTextToParentTag(i,r,this.readonlyMatcher));var h=this.matcher.getCurrentTag();if(p&&n.unpairedTagsSet.has(p))throw new Error("Unpaired tag can not be used as closing tag: </"+p+">");h&&n.unpairedTagsSet.has(h)&&(this.matcher.pop(),this.tagsNodeStack.pop()),this.matcher.pop(),this.isCurrentNodeStopNode=!1,r=this.tagsNodeStack.pop(),i="",o=c}else if(63===l){var u=_t(t,o,!1,"?>");if(!u)throw new Error("Pi Tag is not closed.");i=this.saveTextToParentTag(i,r,this.readonlyMatcher);var g=this.buildAttributesMap(u.tagExp,this.matcher,u.tagName,!0);if(g){var m=g[this.options.attributeNamePrefix+"version"];this.entityDecoder.setXmlVersion(Number(m)||1),a.setXmlVersion(Number(m)||1)}if(n.ignoreDeclaration&&"?xml"===u.tagName||n.ignorePiTags);else{var v=new f(u.tagName);v.add(n.textNodeName,""),u.tagName!==u.tagExp&&u.attrExpPresent&&!0!==n.ignoreAttributes&&(v[":@"]=g),this.addChild(r,v,this.readonlyMatcher,o)}o=u.closeIndex+1}else if(33===l&&45===t.charCodeAt(o+2)&&45===t.charCodeAt(o+3)){var x=St(t,"--\x3e",o+4,"Comment is not closed.");if(n.commentPropName){var b,y=t.substring(o+4,x-2);i=this.saveTextToParentTag(i,r,this.readonlyMatcher),r.add(n.commentPropName,[(b={},b[n.textNodeName]=y,b)])}o=x}else if(33===l&&68===t.charCodeAt(o+2)){var E=a.readDocType(t,o);this.entityDecoder.addInputEntities(E.entities),o=E.i}else if(33===l&&91===t.charCodeAt(o+2)){var S=St(t,"]]>",o,"CDATA is not closed.")-2,N=t.substring(o+9,S);i=this.saveTextToParentTag(i,r,this.readonlyMatcher);var _,T=this.parseTextData(N,r.tagname,this.readonlyMatcher,!0,!1,!0,!0);null==T&&(T=""),n.cdataPropName?r.add(n.cdataPropName,[(_={},_[n.textNodeName]=N,_)]):r.add(n.textNodeName,T),o=S+2}else{var A=_t(t,o,n.removeNSPrefix);if(!A){var C=t.substring(Math.max(0,o-50),Math.min(s,o+50));throw new Error("readTagExp returned undefined at position "+o+'. Context: "'+C+'"')}var I=A.tagName,j=A.rawTagName,O=A.tagExp,k=A.attrExpPresent,D=A.closeIndex,L=Ct(n.transformTagName,I,O,n);if(I=L.tagName,O=L.tagExp,n.strictReservedNames&&(I===n.commentPropName||I===n.cdataPropName||I===n.textNodeName||I===n.attributesGroupName))throw new Error("Invalid tag name: "+I);r&&i&&"!xml"!==r.tagname&&(i=this.saveTextToParentTag(i,r,this.readonlyMatcher,!1));var $=r;$&&n.unpairedTagsSet.has($.tagname)&&(r=this.tagsNodeStack.pop(),this.matcher.pop());var P=!1;O.length>0&&O.lastIndexOf("/")===O.length-1&&(P=!0,O="/"===I[I.length-1]?I=I.substr(0,I.length-1):O.substr(0,O.length-1),k=I!==O);var M,R=null;M=ht(j),I!==e.tagname&&this.matcher.push(I,{},M),I!==O&&k&&(R=this.buildAttributesMap(O,this.matcher,I))&&dt(R,n),I!==e.tagname&&(this.isCurrentNodeStopNode=this.isItStopNode());var V=o;if(this.isCurrentNodeStopNode){var q="";if(P)o=A.closeIndex;else if(n.unpairedTagsSet.has(I))o=A.closeIndex;else{var U=this.readStopNodeData(t,j,D+1);if(!U)throw new Error("Unexpected end of "+j);o=U.i,q=U.tagContent}var F=new f(I);R&&(F[":@"]=R),F.add(n.textNodeName,q),this.matcher.pop(),this.isCurrentNodeStopNode=!1,this.addChild(r,F,this.readonlyMatcher,V)}else{if(P){var X=Ct(n.transformTagName,I,O,n);I=X.tagName,O=X.tagExp;var B=new f(I);R&&(B[":@"]=R),this.addChild(r,B,this.readonlyMatcher,V),this.matcher.pop(),this.isCurrentNodeStopNode=!1}else{if(n.unpairedTagsSet.has(I)){var W=new f(I);R&&(W[":@"]=R),this.addChild(r,W,this.readonlyMatcher,V),this.matcher.pop(),this.isCurrentNodeStopNode=!1,o=A.closeIndex;continue}var Y=new f(I);if(this.tagsNodeStack.length>n.maxNestedTags)throw new Error("Maximum nested tags exceeded");this.tagsNodeStack.push(r),R&&(Y[":@"]=R),this.addChild(r,Y,this.readonlyMatcher,V),r=Y}i="",o=D}}}else i+=t[o];return e.child};function bt(t,e,r,i){this.options.captureMetaData||(i=void 0);var n=this.options.jPath?r.toString():r,a=this.options.updateTag(e.tagname,n,e[":@"]);!1===a||("string"==typeof a?(e.tagname=a,t.addChild(e,i)):t.addChild(e,i))}function yt(t,e,r){var i=this.options.processEntities;if(!i||!i.enabled)return t;if(i.allowedTags){var n=this.options.jPath?r.toString():r;if(!(Array.isArray(i.allowedTags)?i.allowedTags.includes(e):i.allowedTags(e,n)))return t}if(i.tagFilter){var a=this.options.jPath?r.toString():r;if(!i.tagFilter(e,a))return t}return this.entityDecoder.decode(t)}function Et(t,e,r,i){return t&&(void 0===i&&(i=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,r,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,i))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function wt(){return 0!==this.stopNodeExpressionsSet.size&&this.matcher.matchesAny(this.stopNodeExpressionsSet)}function St(t,e,r,i){var n=t.indexOf(e,r);if(-1===n)throw new Error(i);return n+e.length-1}function Nt(t,e,r,i){var n=t.indexOf(e,r);if(-1===n)throw new Error(i);return n}function _t(t,e,r,i){void 0===i&&(i=">");var n=function(t,e,r){void 0===r&&(r=">");for(var i=0,n=t.length,a=r.charCodeAt(0),s=r.length>1?r.charCodeAt(1):-1,o="",l=e,c=e;c<n;c++){var p=t.charCodeAt(c);if(i)p===i&&(i=0);else if(34===p||39===p)i=p;else if(p===a){if(-1===s)return{data:o+=t.substring(l,c),index:c};if(t.charCodeAt(c+1)===s)return{data:o+=t.substring(l,c),index:c}}else 9!==p||i||(o+=t.substring(l,c)+" ",l=c+1)}}(t,e+1,i);if(n){var a=n.data,s=n.index,o=a.search(/\s/),l=a,c=!0;-1!==o&&(l=a.substring(0,o),a=a.substring(o+1).trimStart());var p=l;if(r){var d=l.indexOf(":");-1!==d&&(c=(l=l.substr(d+1))!==n.data.substr(d+1))}return{tagName:l,tagExp:a,closeIndex:s,attrExpPresent:c,rawTagName:p}}}function Tt(t,e,r){for(var i=r,n=1,a=t.length;r<a;r++)if("<"===t[r]){var s=t.charCodeAt(r+1);if(47===s){var o=Nt(t,">",r,e+" is not closed");if(t.substring(r+2,o).trim()===e&&0===--n)return{tagContent:t.substring(i,r),i:o};r=o}else if(63===s)r=St(t,"?>",r+1,"StopNode is not closed.");else if(33===s&&45===t.charCodeAt(r+2)&&45===t.charCodeAt(r+3))r=St(t,"--\x3e",r+3,"StopNode is not closed.");else if(33===s&&91===t.charCodeAt(r+2))r=St(t,"]]>",r,"StopNode is not closed.")-2;else{var l=_t(t,r,!1);l&&((l&&l.tagName)===e&&"/"!==l.tagExp[l.tagExp.length-1]&&n++,r=l.closeIndex)}}}function At(t,e,r){if(e&&"string"==typeof t){var i=t.trim();return"true"===i||"false"!==i&&P(t,r)}return void 0!==t?t:""}function Ct(t,e,r,i){if(t){var n=t(e);r===e&&(r=n),e=n}return{tagName:e=It(e,i),tagExp:r}}function It(t,e){if(o.includes(t))throw new Error('[SECURITY] Invalid name: "'+t+'" is a reserved JavaScript keyword that could cause prototype pollution');return s.includes(t)?e.onDangerousProperty(t):t}var jt=f.getMetaDataSymbol();function Ot(t,e){if(!t||"object"!=typeof t)return{};if(!e)return t;var r={};for(var i in t)i.startsWith(e)?r[i.substring(e.length)]=t[i]:r[i]=t[i];return r}function kt(t,e,r,i){return Dt(t,e,r,i)}function Dt(t,e,r,i){for(var n,a={},s=0;s<t.length;s++){var o=t[s],l=Lt(o);if(void 0!==l&&l!==e.textNodeName){var c=Ot(o[":@"]||{},e.attributeNamePrefix);r.push(l,c)}if(l===e.textNodeName)void 0===n?n=o[l]:n+=""+o[l];else{if(void 0===l)continue;if(o[l]){var p=Dt(o[l],e,r,i),d=Pt(p,e);if(0===Object.keys(p).length&&e.alwaysCreateTextNode&&(p[e.textNodeName]=""),o[":@"]?$t(p,o[":@"],i,e):1!==Object.keys(p).length||void 0===p[e.textNodeName]||e.alwaysCreateTextNode?0===Object.keys(p).length&&(e.alwaysCreateTextNode?p[e.textNodeName]="":p=""):p=p[e.textNodeName],void 0!==o[jt]&&"object"==typeof p&&null!==p&&(p[jt]=o[jt]),void 0!==a[l]&&Object.prototype.hasOwnProperty.call(a,l))Array.isArray(a[l])||(a[l]=[a[l]]),a[l].push(p);else{var h=e.jPath?i.toString():i;e.isArray(l,h,d)?a[l]=[p]:a[l]=p}void 0!==l&&l!==e.textNodeName&&r.pop()}}}return"string"==typeof n?n.length>0&&(a[e.textNodeName]=n):void 0!==n&&(a[e.textNodeName]=n),a}function Lt(t){for(var e=Object.keys(t),r=0;r<e.length;r++){var i=e[r];if(":@"!==i)return i}}function $t(t,e,r,i){if(e)for(var n=Object.keys(e),a=n.length,s=0;s<a;s++){var o=n[s],l=o.startsWith(i.attributeNamePrefix)?o.substring(i.attributeNamePrefix.length):o,c=i.jPath?r.toString()+"."+l:r;i.isArray(o,c,!0,!0)?t[o]=[e[o]]:t[o]=e[o]}}function Pt(t,e){var r=e.textNodeName,i=Object.keys(t).length;return 0===i||!(1!==i||!t[r]&&"boolean"!=typeof t[r]&&0!==t[r])}var Mt={allowBooleanAttributes:!1,unpairedTags:[]};function Rt(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function Vt(t,e){for(var r=e;e<t.length;e++)if("?"!=t[e]&&" "!=t[e]);else{var i=t.substr(r,e-r);if(e>5&&"xml"===i)return Wt("InvalidXml","XML declaration allowed only at the start of the document.",Ht(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}}return e}function qt(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e<t.length;e++)if("-"===t[e]&&"-"===t[e+1]&&">"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){var r=1;for(e+=8;e<t.length;e++)if("<"===t[e])r++;else if(">"===t[e]&&0===--r)break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e<t.length;e++)if("]"===t[e]&&"]"===t[e+1]&&">"===t[e+2]){e+=2;break}return e}function Ut(t,e){for(var r="",i="",n=!1;e<t.length;e++){if('"'===t[e]||"'"===t[e])""===i?i=t[e]:i!==t[e]||(i="");else if(">"===t[e]&&""===i){n=!0;break}r+=t[e]}return""===i&&{value:r,index:e,tagClosed:n}}var Ft=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function Xt(t,e){for(var r=n(t,Ft),i={},a=0;a<r.length;a++){if(0===r[a][1].length)return Wt("InvalidAttr","Attribute '"+r[a][2]+"' has no space in starting.",zt(r[a]));if(void 0!==r[a][3]&&void 0===r[a][4])return Wt("InvalidAttr","Attribute '"+r[a][2]+"' is without value.",zt(r[a]));if(void 0===r[a][3]&&!e.allowBooleanAttributes)return Wt("InvalidAttr","boolean attribute '"+r[a][2]+"' is not allowed.",zt(r[a]));var s=r[a][2];if(!Yt(s))return Wt("InvalidAttr","Attribute '"+s+"' is an invalid name.",zt(r[a]));if(Object.prototype.hasOwnProperty.call(i,s))return Wt("InvalidAttr","Attribute '"+s+"' is repeated.",zt(r[a]));i[s]=1}return!0}function Bt(t,e){if(";"===t[++e])return-1;if("#"===t[e])return function(t,e){var r=/\d/;for("x"===t[e]&&(e++,r=/[\da-fA-F]/);e<t.length;e++){if(";"===t[e])return e;if(!t[e].match(r))break}return-1}(t,++e);for(var r=0;e<t.length;e++,r++)if(!(t[e].match(/\w/)&&r<20)){if(";"===t[e])break;return-1}return e}function Wt(t,e,r){return{err:{code:t,msg:e,line:r.line||r,col:r.col}}}function Yt(t){return a(t)}function Gt(t){return a(t)}function Ht(t,e){var r=t.substring(0,e).split(/\r?\n/);return{line:r.length,col:r[r.length-1].length+1}}function zt(t){return t.startIndex+t[1].length}var Qt=function(){function t(t){this.externalEntities={},this.options=u(t)}var e=t.prototype;return e.parse=function(t,e){if("string"!=typeof t&&t.toString)t=t.toString();else if("string"!=typeof t)throw new Error("XML data is accepted in String or Bytes[] form.");if(e){!0===e&&(e={});var r=function(t,e){e=Object.assign({},Mt,e);var r=[],i=!1,n=!1;"\ufeff"===t[0]&&(t=t.substr(1));for(var a=0;a<t.length;a++)if("<"===t[a]&&"?"===t[a+1]){if((a=Vt(t,a+=2)).err)return a}else{if("<"!==t[a]){if(Rt(t[a]))continue;return Wt("InvalidChar","char '"+t[a]+"' is not expected.",Ht(t,a))}var s=a;if("!"===t[++a]){a=qt(t,a);continue}var o=!1;"/"===t[a]&&(o=!0,a++);for(var l="";a<t.length&&">"!==t[a]&&" "!==t[a]&&"\t"!==t[a]&&"\n"!==t[a]&&"\r"!==t[a];a++)l+=t[a];if("/"===(l=l.trim())[l.length-1]&&(l=l.substring(0,l.length-1),a--),!Gt(l))return Wt("InvalidTag",0===l.trim().length?"Invalid space after '<'.":"Tag '"+l+"' is an invalid name.",Ht(t,a));var c=Ut(t,a);if(!1===c)return Wt("InvalidAttr","Attributes for '"+l+"' have open quote.",Ht(t,a));var p=c.value;if(a=c.index,"/"===p[p.length-1]){var d=a-p.length,h=Xt(p=p.substring(0,p.length-1),e);if(!0!==h)return Wt(h.err.code,h.err.msg,Ht(t,d+h.err.line));i=!0}else if(o){if(!c.tagClosed)return Wt("InvalidTag","Closing tag '"+l+"' doesn't have proper closing.",Ht(t,a));if(p.trim().length>0)return Wt("InvalidTag","Closing tag '"+l+"' can't have attributes or invalid starting.",Ht(t,s));if(0===r.length)return Wt("InvalidTag","Closing tag '"+l+"' has not been opened.",Ht(t,s));var u=r.pop();if(l!==u.tagName){var f=Ht(t,u.tagStartPos);return Wt("InvalidTag","Expected closing tag '"+u.tagName+"' (opened in line "+f.line+", col "+f.col+") instead of closing tag '"+l+"'.",Ht(t,s))}0==r.length&&(n=!0)}else{var g=Xt(p,e);if(!0!==g)return Wt(g.err.code,g.err.msg,Ht(t,a-p.length+g.err.line));if(!0===n)return Wt("InvalidXml","Multiple possible root nodes found.",Ht(t,a));-1!==e.unpairedTags.indexOf(l)||r.push({tagName:l,tagStartPos:s}),i=!0}for(a++;a<t.length;a++)if("<"===t[a]){if("!"===t[a+1]){a=qt(t,++a);continue}if("?"!==t[a+1])break;if((a=Vt(t,++a)).err)return a}else if("&"===t[a]){var m=Bt(t,a);if(-1==m)return Wt("InvalidChar","char '&' is not expected.",Ht(t,a));a=m}else if(!0===n&&!Rt(t[a]))return Wt("InvalidXml","Extra text at the end",Ht(t,a));"<"===t[a]&&a--}return i?1==r.length?Wt("InvalidTag","Unclosed tag '"+r[0].tagName+"'.",Ht(t,r[0].tagStartPos)):!(r.length>0)||Wt("InvalidXml","Invalid '"+JSON.stringify(r.map(function(t){return t.tagName}),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):Wt("InvalidXml","Start tag expected.",1)}(t,e);if(!0!==r)throw Error(r.err.msg+":"+r.err.line+":"+r.err.col)}var i=new ut(this.options,this.externalEntities),n=i.parseXml(t);return this.options.preserveOrder||void 0===n?n:kt(n,this.options,i.matcher,i.readonlyMatcher)},e.addEntity=function(t,e){if(-1!==e.indexOf("&"))throw new Error("Entity value can't have '&'");if(-1!==t.indexOf("&")||-1!==t.indexOf(";"))throw new Error("An entity must be set without '&' and ';'. Eg. use '#xD' for '&#xD;'");if("&"===e)throw new Error("An entity with value '&' is not permitted");this.externalEntities[t]=e},t.getMetaDataSymbol=function(){return f.getMetaDataSymbol()},t}();return e})());
//# sourceMappingURL=fxparser.min.js.map
+4
-3
package.json
{
"name": "fast-xml-parser",
"version": "5.8.0",
"version": "5.9.0",
"description": "Validate XML, Parse XML, Build XML without C/C++ based libraries",

@@ -89,8 +89,9 @@ "main": "./lib/fxp.cjs",

"dependencies": {
"@nodable/entities": "^2.1.0",
"@nodable/entities": "^2.2.0",
"fast-xml-builder": "^1.2.0",
"is-unsafe": "^1.0.1",
"path-expression-matcher": "^1.5.0",
"strnum": "^2.3.0",
"strnum": "^2.4.0",
"xml-naming": "^0.1.0"
}
}
+3
-1
src/fxp.d.ts

@@ -506,3 +506,5 @@ /**

skipLike?: RegExp,
eNotation?: boolean
eNotation?: boolean,
infinity?: string,
unicode?: boolean
}

@@ -509,0 +511,0 @@ 

+2
-1
src/xmlparser/OptionsBuilder.js

@@ -28,3 +28,4 @@ import { DANGEROUS_PROPERTY_NAMES, criticalProperties } from "../util.js";

leadingZeros: true,
eNotation: true
eNotation: true,
unicode: false
},

@@ -31,0 +32,0 @@ tagValueProcessor: function (tagName, val) {

+10
-2
src/xmlparser/OrderedObjParser.js

@@ -11,4 +11,6 @@ 'use strict';

import { ExpressionSet } from 'path-expression-matcher';
import { EntityDecoder, XML, CURRENCY, COMMON_HTML } from '@nodable/entities';
import { EntityDecoder, XML, CURRENCY, COMMON_HTML, ENTITY_ACTION } from '@nodable/entities';
import { isUnsafe, VALID_CONTEXTS } from "is-unsafe"
// const regx =

@@ -102,3 +104,9 @@ // '<((!\\[CDATA\\[([\\s\\S]*?)(]]>))|((NAME:)?(NAME))([^>]*)>|((\\/)(NAME)\\s*>))([^<]*)'

applyLimitsTo: this.options.processEntities.appliesTo,
}
},
// onExternalEntity: (name, value) => isUnsafe(value) ? 'block' : 'allow',
onInputEntity: (name, value) =>
//TODO: VALID_CONTEXTS.HTML should be set only if this.options.htmlEntities
isUnsafe(value, [VALID_CONTEXTS.HTML, VALID_CONTEXTS.XML])
? ENTITY_ACTION.BLOCK : ENTITY_ACTION.ALLOW,
//postCheck: resolved => resolved

@@ -105,0 +113,0 @@ });

lib/fxp.cjs

Sorry, the diff of this file is too big to display

lib/fxp.min.js

Sorry, the diff of this file is too big to display

lib/fxp.min.js.map

Sorry, the diff of this file is too big to display

lib/fxparser.min.js.map

Sorry, the diff of this file is too big to display