Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
The xmldoc npm package is a lightweight XML parser that provides an easy and manageable way to parse XML documents and navigate their structures in Node.js applications. It allows users to load XML documents as objects and access their attributes, child elements, and text content programmatically.
Parsing XML
This feature allows the parsing of XML strings into a manageable object structure, enabling easy access to different parts of the XML document.
var XmlDocument = require('xmldoc').XmlDocument;
var xml = new XmlDocument('<root><child foo="bar">Hello, world!</child></root>');
console.log(xml.firstChild.attr.foo); // outputs: bar
Navigating Nodes
This feature enables navigation to specific nodes by their names and retrieval of their text content.
var child = xml.childNamed('child');
console.log(child.val); // outputs: Hello, world!
Accessing Attributes
This feature allows access to the attributes of XML nodes, making it easy to retrieve values associated with different attributes in an element.
console.log(xml.firstChild.attr.foo); // outputs: bar
libxmljs is a more feature-rich XML parsing library that provides bindings to the libxml C library. It offers faster parsing and XPath support, making it suitable for more complex XML processing tasks compared to xmldoc.
xml2js is another popular XML parsing library that, unlike xmldoc, converts XML documents into JSON format. This can be particularly useful when the end goal is to work with JSON objects instead of navigating XML nodes directly.
xmldoc
lets you parse XML documents with ease. It's a pure-JavaScript, one-file XML document class with a single dependency on the excellent sax
parser.
For more on why I wrote this class, see the blog post.
See CHANGELOG.md for details (built with GitHub Changelog Generator).
npm install xmldoc
Or just download the repository and include it in your node_modules
directly. Or just download the single JS file!
I haven't tested this myself but installing buffer
and stream
separately may be necessary for xmldoc
to work on React Native:
npm install buffer stream xmldoc
var xmldoc = require('xmldoc');
var document = new xmldoc.XmlDocument("<some>xml</some>");
// do things
The primary exported class is XmlDocument
, which you'll use to consume your XML text. XmlDocument
contains a hierarchy of XmlElement
instances representing the XML structure.
Both XmlElement
and XmlDocument
contain the same members and methods you can call to traverse the document or a subtree.
name
- the node name, like "tat" for <tat>
. XML "namespaces" are ignored by the underlying sax-js parser, so you'll simply get "office:body" for <office:body>
.attr
- an object dict containing attribute properties, like bookNode.attr.title
for <book title="...">
.val
- the string "value" of the node, if any, like "world" for <hello>world</hello>
.children
- an array of XmlElement
children of the node.firstChild
, lastChild
- pretty much what it sounds like; null if no childrenline
, column
, position
, startTagPosition
- information about the element's original position in the XML string.Each member defaults to a sensible "empty" value like {}
for attr
, []
for children
, and ""
for val
.
All methods with child
in the name operate only on direct children; they do not do a deep/recursive search.
It's important to note that xmldoc
is designed for when you know exactly what you want from your XML file. For instance, it's great for parsing API responses with known structures, but it's not great at teasing things out of HTML documents from the web.
If you need to do lots of searching through your XML document, I highly recommend trying a different library like node-elementtree.
Similar to underscore's each
method, it will call func(child, index, array)
for each child of the given node.
Pass it the name of a child node and it will search for and return the first one found, or undefined
.
Like childNamed
but returns all matching children in an array, or []
.
Searches for the first child with the given attribute value. You can omit value
to just find the first node with the given attribute defined at all.
Searches for a specific "path" using dot notation. Example:
<book>
<author>
<name isProper="true">George R. R. Martin</name>
...
</author>
...
</book>
If you just want the <name>
node and you have the XmlElement
for the <book>
node, you can say:
var nameNode = bookNode.descendantWithPath("author.name"); // return <name> node
Just like descendantWithPath
, but goes deeper and extracts the val
of the node. Example:
var authorName = bookNode.valueWithPath("author.name"); // return "George R. R. Martin"
You can also use the @
character to request the value of a particular attribute instead:
var authorIsProper = bookNode.valueWithPath("author.name@isProper"); // return "true"
This is not XPath! It's just a thing I made up, OK?
This is just an override of the standard JavaScript method, it will give you a string representation of your XML document or element. Note that this is for debugging only! It is not guaranteed to always output valid XML.
The default implementation of toString()
, that is, the one you get when you just console.log("Doc: " + myDoc)
will pretty-print the XML with linebreaks and indents. You can pass a couple options to control the output:
xml.toString({compressed:true}) // strips indents and linebreaks
xml.toString({trimmed:true}) // trims long strings for easier debugging
xml.toString({preserveWhitespace:true}) // prevents whitespace being removed from around element values
Putting it all together:
var xml = "<author><name>looooooong value</name></author>";
console.log("My document: \n" + new XmlDocument(xml).toString({trimmed:true}))
Prints:
My Document:
<hello>
loooooooo…
</hello>
Feel free to file issues or hit me up on Twitter.
FAQs
A lightweight XML Document class for JavaScript.
We found that xmldoc demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.