Skip to content
This repository has been archived by the owner on Jan 7, 2021. It is now read-only.

Commit

Permalink
Merge pull request #150 from ehoogerbeets/master
Browse files Browse the repository at this point in the history 
Support asymmetric sanitization to compensate for node-expat's problems
  • Loading branch information
@c4milo
c4milo committed Nov 15, 2017
2 parents d3a3af9 + b9b044c commit e05fa24
Show file tree
Hide file tree
Showing 6 changed files with 33 additions and 15 deletions.
2 changes: 1 addition & 1 deletion lib/json2xml.js
View file
Expand Up @@ -76,7 +76,7 @@ ToXml.prototype.openTag = function(key) {
}
ToXml.prototype.addAttr = function(key, val) {
if (this.options.sanitize) {
val = sanitizer.sanitize(val);
val = sanitizer.sanitize(val, false, true);
}
this.xml += ' ' + key + '="' + val + '"';
}
Expand Down
39 changes: 28 additions & 11 deletions lib/sanitize.js
View file
Expand Up @@ -12,13 +12,30 @@
* " "
* ' '
*/
var chars = {
// used for body text
var charsEscape = {
'&': '&',
'<': '&lt;',
'>': '&gt;'
};

var charsUnescape = {
'&amp;': '&',
'&#35;': '#',
'&lt;': '<',
'&gt;': '>',
'&#40;': '(',
'&#41;': ')',
'&quot;': '"',
'&apos;': "'",
"&#31;": "\u001F"
};

// used in attribute values
var charsAttrEscape = {
'&': '&amp;',
'#': '&#35;',
'<': '&lt;',
'>': '&gt;',
'(': '&#40;',
')': '&#41;',
'"': '&quot;',
"'": '&apos;'
};
Expand All @@ -27,17 +44,17 @@ function escapeRegExp(string) {
return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
}

exports.sanitize = function sanitize(value, reverse) {
// sanitize body text
exports.sanitize = function sanitize(value, reverse, attribute) {
if (typeof value !== 'string') {
return value;
}

Object.keys(chars).forEach(function(key) {
if (reverse) {
value = value.replace(new RegExp(escapeRegExp(chars[key]), 'g'), key);
} else {
value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
}
var chars = reverse ? charsUnescape : (attribute ? charsAttrEscape : charsEscape);
var keys = Object.keys(chars);

keys.forEach(function(key) {
value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
});

return value;
Expand Down
1 change: 1 addition & 0 deletions lib/xml2json.js
View file
Expand Up @@ -60,6 +60,7 @@ function endElement(name) {
currentObject[textNodeName()] = currentObject[textNodeName()].trim()
}

// node-expat already reverse sanitizes it whether we like it or not
//if (options.sanitize) {
// currentObject[textNodeName()] = sanitizer.sanitize(currentObject[textNodeName()], true);
//}
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
@@ -1,6 +1,6 @@
{
"name": "xml2json",
"version": "0.11.1",
"version": "0.11.2",
"description": "Converts xml to json and vice-versa, using node-expat.",
"repository": "git://github.com/buglabs/node-xml2json.git",
"license": "MIT",
Expand Down
2 changes: 1 addition & 1 deletion test/fixtures/xmlsanitize.json
View file
@@ -1 +1 @@
{"e":{"a":{"b":"Smith & Son","$t":"Movers & <b>Shakers</b> Extraordinaire"}}}
{"e":{"a":{"b":"<\"Smith\" & 'Son'>","$t":"Movers & <b>Shakers</b> Extraordinaire #()\"'"}}}
2 changes: 1 addition & 1 deletion test/fixtures/xmlsanitize.xml
View file
@@ -1 +1 @@
<e><a b="Smith &amp; Son">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire</a></e>
<e><a b="&lt;&quot;Smith&quot; &amp; &apos;Son&apos;&gt;">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire #()"'</a></e>

0 comments on commit e05fa24

Please sign in to comment.