Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
xml-stream
Advanced tools
XmlStream is a Node.js XML stream parser and editor, based on node-expat (libexpat SAX-like parser binding).
$ npm install xml-stream
When working with large XML files, it is probably a bad idea to use an XML to JavaScript object converter, or simply buffer the whole document in memory. Then again, a typical SAX parser might be too low-level for some tasks (and often a real pain).
This is why we've rolled our own stream parser that tries to address these shortcomings. It processes an XML stream chunk by chunk and fires events only for nodes of interest, matching them with CSS-like selectors.
Supported events:
data
on outgoing data chunk,end
when parsing has ended,startElement[: selector]
on opening tag for selector match,updateElement[: selector]
on finished node for selector match
with its contents buffered,endElement[: selector]
on closing tag for selector match,text[: selector]
on tag text for selector match.When adding listeners for startElement
, updateElement
, and text
the
callback can modify the provided node, before it is sent to the consumer.
Selector syntax is CSS-like and currently supports:
ancestor descendant
parent > child
Take a look at the examples for more information.
Each of the four node events has a callback with one argument. When parsing, this argument is set to the current matched node. Having a chunk of XML like this:
<item id="123" type="common">
<title>Item Title</title>
<description>Description of this item.</description>
(text)
</item>
The structure of the item element node would be:
{
title: 'Item Title',
description: 'Description of this item.',
'$': {
'id': '123',
'type': 'common'
},
'$name': 'item',
'$text': '(text)'
}
Naturally, element text and child elements wouldn't be known until discovered in the stream, so the structure may differ across events. The complete structure as displayed should be available on updateElement. The $name is not available on endElement.
It is sometimes required to select elements that have many children with one and the same name. Like this XML:
<item id="1">
<subitem>one</subitem>
<subitem>two</subitem>
</item>
<item id="2">
<subitem>three</subitem>
<subitem>four</subitem>
<subitem>five</subitem>
</item>
By default, parsed element node contains children as properties. In the case of several children with same names, the last one would overwrite others. To collect all of subitem elements in an array use collect:
xml.collect('subitem');
xml.on('endElement: item', function(item) {
console.log(item);
})
By default, element text is returned as one concatenated string. In this XML:
<item>
one <a>1</b>
two <a>2</b>
</item>
The value of $text for item would be: one 1 two 2
without any
indication of the order of element a, element b, and text parts.
To preserve this order:
xml.preserve('item');
xml.on('endElement: item', function(item) {
console.log(item);
})
If you want parsing to pause (for example, until some asynchronous operation of yours is finished), you can pause and resume XML parsing:
xml.pause();
myAsyncFunction( function() {
xml.resume();
});
Beware that resume() must not be called from within a handler callback.
FAQs
XML stream to JavaScript object converter based on Expat.
We found that xml-stream demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.