fix: prevent empty entities

lddubeau · Jul 4, 2018 · 04e1593 · 04e1593
1 parent c0946d8
commit 04e1593
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 16 deletions.
diff --git a/lib/saxes.js b/lib/saxes.js
@@ -1018,29 +1018,25 @@ class SAXParser {
   }
 
   parseEntity() {
-    let { entity } = this;
+    const { entity } = this;
 
-    if (this.ENTITIES[entity]) {
-      return this.ENTITIES[entity];
+    const defined = this.ENTITIES[entity];
+    if (defined) {
+      return defined;
     }
 
-    let num;
-    let numStr = "";
-    entity = entity.toLowerCase();
+    let num = NaN;
     if (entity[0] === "#") {
-      if (entity[1] === "x") {
-        entity = entity.slice(2);
-        num = parseInt(entity, 16);
-        numStr = num.toString(16);
+      if ((entity[1] === "x" || entity[1] === "X") &&
+          /^#[x|X][0-9a-fA-F]+$/.test(entity)) {
+        num = parseInt(entity.slice(2), 16);
       }
-      else {
-        entity = entity.slice(1);
-        num = parseInt(entity);
-        numStr = num.toString(10);
+      else if (/^#[0-9]+$/.test(entity)) {
+        num = parseInt(entity.slice(1), 10);
       }
     }
-    entity = entity.replace(/^0+/, "");
-    if (Number.isNaN(num) || numStr.toLowerCase() !== entity) {
+
+    if (Number.isNaN(num)) {
       this.fail("Invalid character entity");
       return `&${this.entity};`;
     }

diff --git a/test/bad-entities.js b/test/bad-entities.js
@@ -0,0 +1,37 @@
+"use strict";
+
+require(".").test({
+  name: "empty entity",
+  xml: "<r>&;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 5\nChar: ;"],
+    ["text", "&;"],
+    ["closetag", "r"],
+  ],
+});
+
+require(".").test({
+  name: "empty decimal entity",
+  xml: "<r>&#;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 6\nChar: ;"],
+    ["text", "&#;"],
+    ["closetag", "r"],
+  ],
+});
+
+require(".").test({
+  name: "empty hex entity",
+  xml: "<r>&#x;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 7\nChar: ;"],
+    ["text", "&#x;"],
+    ["closetag", "r"],
+  ],
+});