From 04e1593a2a0702752907cee4d5c7c05a02a17ba1 Mon Sep 17 00:00:00 2001
From: Louis-Dominique Dubeau <ldd@lddubeau.com>
Date: Tue, 3 Jul 2018 18:53:59 -0400
Subject: [PATCH] fix: prevent empty entities

---
 lib/saxes.js         | 28 ++++++++++++----------------
 test/bad-entities.js | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 16 deletions(-)
 create mode 100644 test/bad-entities.js

diff --git a/lib/saxes.js b/lib/saxes.js
index 357b342b..64886589 100644
--- a/lib/saxes.js
+++ b/lib/saxes.js
@@ -1018,29 +1018,25 @@ class SAXParser {
   }
 
   parseEntity() {
-    let { entity } = this;
+    const { entity } = this;
 
-    if (this.ENTITIES[entity]) {
-      return this.ENTITIES[entity];
+    const defined = this.ENTITIES[entity];
+    if (defined) {
+      return defined;
     }
 
-    let num;
-    let numStr = "";
-    entity = entity.toLowerCase();
+    let num = NaN;
     if (entity[0] === "#") {
-      if (entity[1] === "x") {
-        entity = entity.slice(2);
-        num = parseInt(entity, 16);
-        numStr = num.toString(16);
+      if ((entity[1] === "x" || entity[1] === "X") &&
+          /^#[x|X][0-9a-fA-F]+$/.test(entity)) {
+        num = parseInt(entity.slice(2), 16);
       }
-      else {
-        entity = entity.slice(1);
-        num = parseInt(entity);
-        numStr = num.toString(10);
+      else if (/^#[0-9]+$/.test(entity)) {
+        num = parseInt(entity.slice(1), 10);
       }
     }
-    entity = entity.replace(/^0+/, "");
-    if (Number.isNaN(num) || numStr.toLowerCase() !== entity) {
+
+    if (Number.isNaN(num)) {
       this.fail("Invalid character entity");
       return `&${this.entity};`;
     }
diff --git a/test/bad-entities.js b/test/bad-entities.js
new file mode 100644
index 00000000..30a534fd
--- /dev/null
+++ b/test/bad-entities.js
@@ -0,0 +1,37 @@
+"use strict";
+
+require(".").test({
+  name: "empty entity",
+  xml: "<r>&;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 5\nChar: ;"],
+    ["text", "&;"],
+    ["closetag", "r"],
+  ],
+});
+
+require(".").test({
+  name: "empty decimal entity",
+  xml: "<r>&#;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 6\nChar: ;"],
+    ["text", "&#;"],
+    ["closetag", "r"],
+  ],
+});
+
+require(".").test({
+  name: "empty hex entity",
+  xml: "<r>&#x;</r>",
+  expect: [
+    ["opentagstart", { name: "r", attributes: {} }],
+    ["opentag", { name: "r", attributes: {}, isSelfClosing: false }],
+    ["error", "Invalid character entity\nLine: 0\nColumn: 7\nChar: ;"],
+    ["text", "&#x;"],
+    ["closetag", "r"],
+  ],
+});