Skip to content

Commit

Permalink
fix(sax): Only use own properties in entityMap (#374)
Browse files Browse the repository at this point in the history
  • Loading branch information
@karfau
karfau authored Feb 13, 2022
1 parent acb9b50 commit e31e25d
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 19 deletions.
38 changes: 19 additions & 19 deletions lib/sax.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ var tagNamePattern = new RegExp('^'+nameStartChar.source+nameChar.source+'*(?:\:
//S_TAG, S_ATTR, S_EQ, S_ATTR_NOQUOT_VALUE
//S_ATTR_SPACE, S_ATTR_END, S_TAG_SPACE, S_TAG_CLOSE
var S_TAG = 0;//tag name offerring
var S_ATTR = 1;//attr name offerring
var S_ATTR = 1;//attr name offerring
var S_ATTR_SPACE=2;//attr name end and space offer
var S_EQ = 3;//=space?
var S_ATTR_NOQUOT_VALUE = 4;//attr value(no quot value only)
Expand All @@ -36,7 +36,7 @@ ParseError.prototype = new Error();
ParseError.prototype.name = ParseError.name

function XMLReader(){

}

XMLReader.prototype = {
Expand Down Expand Up @@ -65,8 +65,8 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
}
function entityReplacer(a){
var k = a.slice(1,-1);
if(k in entityMap){
return entityMap[k];
if (Object.hasOwnProperty.call(entityMap, k)) {
return entityMap[k];
}else if(k.charAt(0) === '#'){
return fixedFromCharCode(parseInt(k.substr(1).replace('x','0x')))
}else{
Expand Down Expand Up @@ -95,7 +95,7 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
var lineEnd = 0;
var linePattern = /.*(?:\r\n?|\n)|.*$/g
var locator = domBuilder.locator;

var parseStack = [{currentNSMap:defaultNSMapCopy}]
var closeMap = {};
var start = 0;
Expand All @@ -120,7 +120,7 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
var tagName = source.substring(tagStart + 2, end).replace(/[ \t\n\r]+$/g, '');
var config = parseStack.pop();
if(end<0){

tagName = source.substring(tagStart+2).replace(/[\s<].*/,'');
errorHandler.error("end tag name: "+tagName+' is not complete:'+config.tagName);
end = tagStart+1+tagName.length;
Expand All @@ -145,7 +145,7 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
}else{
parseStack.push(config)
}

end++;
break;
// end elment
Expand All @@ -164,8 +164,8 @@ function parse(source,defaultNSMapCopy,entityMap,domBuilder,errorHandler){
//elStartEnd
var end = parseElementStartPart(source,tagStart,el,currentNSMap,entityReplacer,errorHandler);
var len = el.length;


if(!el.closed && fixSelfClosed(source,end,el.tagName,closeMap)){
el.closed = true;
if(!entityMap.nbsp){
Expand Down Expand Up @@ -435,7 +435,7 @@ function appendElement(el,domBuilder,currentNSMap){
}
//can not set prefix,because prefix !== ''
a.localName = localName ;
//prefix == null for no ns prefix attribute
//prefix == null for no ns prefix attribute
if(nsPrefix !== false){//hack!!
if(localNSMap == null){
localNSMap = {}
Expand All @@ -445,7 +445,7 @@ function appendElement(el,domBuilder,currentNSMap){
}
currentNSMap[nsPrefix] = localNSMap[nsPrefix] = value;
a.uri = NAMESPACE.XMLNS
domBuilder.startPrefixMapping(nsPrefix, value)
domBuilder.startPrefixMapping(nsPrefix, value)
}
}
var i = el.length;
Expand All @@ -457,7 +457,7 @@ function appendElement(el,domBuilder,currentNSMap){
a.uri = NAMESPACE.XML;
}if(prefix !== 'xmlns'){
a.uri = currentNSMap[prefix || '']

//{console.log('###'+a.qName,domBuilder.locator.systemId+'',currentNSMap,a.uri)}
}
}
Expand All @@ -479,7 +479,7 @@ function appendElement(el,domBuilder,currentNSMap){
domBuilder.endElement(ns,localName,tagName);
if(localNSMap){
for(prefix in localNSMap){
domBuilder.endPrefixMapping(prefix)
domBuilder.endPrefixMapping(prefix)
}
}
}else{
Expand All @@ -506,7 +506,7 @@ function parseHtmlSpecialContent(source,elStartEnd,tagName,entityReplacer,domBui
domBuilder.characters(text,0,text.length);
return elEndStart;
//}

}
}
return elStartEnd+1;
Expand All @@ -523,7 +523,7 @@ function fixSelfClosed(source,elStartEnd,tagName,closeMap){
closeMap[tagName] =pos
}
return pos<elStartEnd;
//}
//}
}
function _copy(source,target){
for(var n in source){target[n] = source[n]}
Expand Down Expand Up @@ -551,11 +551,11 @@ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
var end = source.indexOf(']]>',start+9);
domBuilder.startCDATA();
domBuilder.characters(source,start+9,end-start-9);
domBuilder.endCDATA()
domBuilder.endCDATA()
return end+3;
}
//<!DOCTYPE
//startDTD(java.lang.String name, java.lang.String publicId, java.lang.String systemId)
//startDTD(java.lang.String name, java.lang.String publicId, java.lang.String systemId)
var matchs = split(source,start);
var len = matchs.length;
if(len>1 && /!doctype/i.test(matchs[0][0])){
Expand All @@ -573,7 +573,7 @@ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
var lastMatch = matchs[len-1]
domBuilder.startDTD(name, pubid, sysid);
domBuilder.endDTD();

return lastMatch.index+lastMatch[0].length
}
}
Expand Down Expand Up @@ -622,7 +622,7 @@ ElementAttributes.prototype = {
getValue:function(i){return this[i].value}
// ,getIndex:function(uri, localName)){
// if(localName){
//
//
// }else{
// var qName = uri
// }
Expand Down
20 changes: 20 additions & 0 deletions test/parse/__snapshots__/entities.test.js.snap
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP

exports[`entity replacement ignores js prototype chain should not pick up 'entities' from the prototype chain 1`] = `
Object {
"actual": "
<xml>
<hasOwnProperty>&amp;hasOwnProperty;</hasOwnProperty>
<proto>&amp;__proto__;</proto>
<constructor>&amp;constructor;</constructor>
</xml>",
"error": Array [
"[xmldom error] entity not found:&hasOwnProperty;
@#[line:3,col:4]",
"[xmldom error] entity not found:&__proto__;
@#[line:4,col:4]",
"[xmldom error] entity not found:&constructor;
@#[line:5,col:4]",
],
}
`;
21 changes: 21 additions & 0 deletions test/parse/entities.test.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
'use strict'

const { getTestParser } = require('../get-test-parser')
const { MIME_TYPE } = require('../../lib/conventions')

describe('entity replacement ignores js prototype chain', () => {
it("should not pick up 'entities' from the prototype chain", () => {
const source = `
<xml>
<hasOwnProperty>&hasOwnProperty;</hasOwnProperty>
<proto>&__proto__;</proto>
<constructor>&constructor;</constructor>
</xml>
`
const { errors, parser } = getTestParser()

const actual = parser.parseFromString(source, MIME_TYPE.XML_TEXT).toString()

expect({ actual, ...errors }).toMatchSnapshot()
})
})

0 comments on commit e31e25d

Please sign in to comment.