From 4327eec497301a1787268a05341103e88d879bea Mon Sep 17 00:00:00 2001
From: Louis-Dominique Dubeau <ldd@lddubeau.com>
Date: Wed, 4 Jul 2018 08:53:08 -0400
Subject: [PATCH] fix: prevent colons in pi and entity names when xmlns is true

---
 lib/saxes.js | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/saxes.js b/lib/saxes.js
index a34f0780..495807d0 100644
--- a/lib/saxes.js
+++ b/lib/saxes.js
@@ -518,6 +518,16 @@ class SAXParser {
           this.state = S_PROC_INST_BODY;
         }
         else {
+          // When namespaces are used, colons are not valid in pi names.
+          // https://www.w3.org/XML/xml-names-19990114-errata.html
+          // NE08
+          if (!(isMatch(this.procInstName.length ? nameBody : nameStart, c) &&
+                 // When namespaces are used, colons are not valid in entity names.
+                 // https://www.w3.org/XML/xml-names-19990114-errata.html
+                 // NE08
+                (!this.opt.xmlns || c !== ":"))) {
+            this.fail("Invalid characer in processing instruction name.");
+          }
           this.procInstName += c;
         }
         continue;
@@ -790,7 +800,11 @@ class SAXParser {
           this.entity = "";
           this.state = returnState;
         }
-        else if (isMatch(this.entity.length ? entityBody : entityStart, c)) {
+        else if (isMatch(this.entity.length ? entityBody : entityStart, c) &&
+                 // When namespaces are used, colons are not valid in entity names.
+                 // https://www.w3.org/XML/xml-names-19990114-errata.html
+                 // NE08
+                 (!this.opt.xmlns || c !== ":")) {
           this.entity += c;
         }
         else {