From 39f3d232b14ad07b5ea3e55413564b0cb3c844a0 Mon Sep 17 00:00:00 2001
From: Edwin Hoogerbeets <edwin.hoogerbeets@healthtap.com>
Date: Wed, 15 Nov 2017 11:49:50 -0800
Subject: [PATCH 1/3] Support asymetric sanitization

This allows us to deal with node-expat properly
---
 lib/json2xml.js |  2 +-
 lib/sanitize.js | 39 +++++++++++++++++++++++++++++----------
 lib/xml2json.js |  1 +
 package.json    |  2 +-
 4 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/lib/json2xml.js b/lib/json2xml.js
index 706e870..481a149 100644
--- a/lib/json2xml.js
+++ b/lib/json2xml.js
@@ -76,7 +76,7 @@ ToXml.prototype.openTag = function(key) {
 }
 ToXml.prototype.addAttr = function(key, val) {
     if (this.options.sanitize) {
-        val = sanitizer.sanitize(val);
+        val = sanitizer.sanitize(val, false, true);
     }
     this.xml += ' ' + key + '="' + val + '"';
 }
diff --git a/lib/sanitize.js b/lib/sanitize.js
index 3dfc841..b2c1ae8 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -12,13 +12,32 @@
  *      "       &quot;
  *      '       &apos;
  */
-var chars = {
+// used for body text
+var charsEscape = {
     '&': '&amp;',
     '#': '&#35;',
     '<': '&lt;',
     '>': '&gt;',
-    '(': '&#40;',
-    ')': '&#41;',
+    "\u001F": "&#31;"
+};
+
+var charsUnescape = {
+    '&amp;': '&',
+    '&#35;': '#',
+    '&lt;': '<',
+    '&gt;': '>',
+    '&#40;': '(',
+    '&#41;': ')',
+    '&quot;': '"',
+    '&apos;': "'",
+    "&#31;": "\u001F"
+};
+
+// used in attribute values
+var charsAttrEscape = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
     '"': '&quot;',
     "'": '&apos;'
 };
@@ -27,17 +46,17 @@ function escapeRegExp(string) {
     return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
 }
 
-exports.sanitize = function sanitize(value, reverse) {
+// sanitize body text
+exports.sanitize = function sanitize(value, reverse, attribute) {
     if (typeof value !== 'string') {
         return value;
     }
 
-    Object.keys(chars).forEach(function(key) {
-        if (reverse) {
-            value = value.replace(new RegExp(escapeRegExp(chars[key]), 'g'), key);
-        } else {
-            value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
-        }
+    var chars = reverse ? charsUnescape : (attribute ? charsAttrEscape : charsEscape);
+    var keys = Object.keys(chars);
+    
+    keys.forEach(function(key) {
+        value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
     });
 
     return value;
diff --git a/lib/xml2json.js b/lib/xml2json.js
index f8342a1..912d2d1 100644
--- a/lib/xml2json.js
+++ b/lib/xml2json.js
@@ -60,6 +60,7 @@ function endElement(name) {
             currentObject[textNodeName()] = currentObject[textNodeName()].trim()
         }
 
+        // node-expat already reverse sanitizes it whether we like it or not
         //if (options.sanitize) {
         //    currentObject[textNodeName()] = sanitizer.sanitize(currentObject[textNodeName()], true);
         //}
diff --git a/package.json b/package.json
index 334cbdb..a56ff53 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "xml2json",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "Converts xml to json and vice-versa, using node-expat.",
   "repository": "git://github.com/buglabs/node-xml2json.git",
   "license": "MIT",

From be0bf416c935833a037035220e02aa9382edb85c Mon Sep 17 00:00:00 2001
From: Edwin Hoogerbeets <edwin.hoogerbeets@healthtap.com>
Date: Wed, 15 Nov 2017 13:19:28 -0800
Subject: [PATCH 2/3] Fix the hash in the wrong place

---
 lib/sanitize.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/sanitize.js b/lib/sanitize.js
index b2c1ae8..fb2247c 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -15,7 +15,6 @@
 // used for body text
 var charsEscape = {
     '&': '&amp;',
-    '#': '&#35;',
     '<': '&lt;',
     '>': '&gt;',
     "\u001F": "&#31;"

From b9b044c3eb444a6f3ae9e4e9baebcd96bfc20e42 Mon Sep 17 00:00:00 2001
From: Edwin Hoogerbeets <edwin.hoogerbeets@healthtap.com>
Date: Wed, 15 Nov 2017 14:03:51 -0800
Subject: [PATCH 3/3] Test special chars escaped by node-expat in attr values
 and regular text

---
 lib/sanitize.js                | 3 +--
 test/fixtures/xmlsanitize.json | 2 +-
 test/fixtures/xmlsanitize.xml  | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/sanitize.js b/lib/sanitize.js
index fb2247c..d1dc6c7 100644
--- a/lib/sanitize.js
+++ b/lib/sanitize.js
@@ -16,8 +16,7 @@
 var charsEscape = {
     '&': '&amp;',
     '<': '&lt;',
-    '>': '&gt;',
-    "\u001F": "&#31;"
+    '>': '&gt;'
 };
 
 var charsUnescape = {
diff --git a/test/fixtures/xmlsanitize.json b/test/fixtures/xmlsanitize.json
index 7b0d6ff..95faefc 100644
--- a/test/fixtures/xmlsanitize.json
+++ b/test/fixtures/xmlsanitize.json
@@ -1 +1 @@
-{"e":{"a":{"b":"Smith & Son","$t":"Movers & <b>Shakers</b> Extraordinaire"}}}
\ No newline at end of file
+{"e":{"a":{"b":"<\"Smith\" & 'Son'>","$t":"Movers & <b>Shakers</b> Extraordinaire #()\"'"}}}
\ No newline at end of file
diff --git a/test/fixtures/xmlsanitize.xml b/test/fixtures/xmlsanitize.xml
index 72669a1..7eaf4e9 100644
--- a/test/fixtures/xmlsanitize.xml
+++ b/test/fixtures/xmlsanitize.xml
@@ -1 +1 @@
-<e><a b="Smith &amp; Son">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire</a></e>
\ No newline at end of file
+<e><a b="&lt;&quot;Smith&quot; &amp; &apos;Son&apos;&gt;">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire #()"'</a></e>
\ No newline at end of file