New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing error for XML documents with multiple root element nodes #150
Comments
|
Sorry if this has already been documented elsewhere. I searched around and didn’t see this behavior being discussed anywhere, so I figured I’d file it here and see where it went. |
|
Ultimately responsible for this security bug: https://nvd.nist.gov/vuln/detail/CVE-2022-39299 |
|
@frumioj xmldom is currently maintained at https://github.com/xmldom/xmldom. |
|
Fixes have been provided for |
|
GHSA-crh6-fp67-6883 notes that 0.7.7 is both affected and fixed. Can the impacted version ranges be clarified? I guess that should probably be < not <=? |
|
Thank you for letting me know, you guessed correctly, I fixed it. |
Bug Description:
xmldom allows incoming documents to have multiple root element nodes. This appears to me to be a violation of the W3C DOM Level 2 Core Specification:
However, the spec also says this:
In light of this, for the record, I actually don’t dislike the fact that xmldom can parse such documents. This comes with a few reservations (outlined below) because it seems like the current behavior is contrary to what the specs (both W3C DOM Level 2 Core and XML 1.1) assert ought to be the case.
Bug Reproduction:
The following code:
…produces the following output:
In contrast to this, libxmljs — which relies on libxml2 — refuses to parse such documents, opting to throw an error instead:
Firefox behaves in a similar way, and refuses to parse the document:
Chrome goes a little bit farther in that it is at least willing to parse/render the first root element node:
Expectations/Recommendations/Discussion:
<?xml?>declarations — then the DOMParser should, bare-minimum, simply opt to not support such streams, and should raise an error informing the consumer that the given XML stream is invalid.Conclusion:
On one hand, I think it is a useful thing to be able to parse streams containing multiple XML documents.
On the other hand, to do that silently without issuing even so much as a warning to consumers — especially when the specs say that root nodes should be unique — seems, well, odd. It seems like the current behavior is more of an artifact or a side-effect of xmldom’s current architecture than it is an intentional aspect of its design, hence my writing this up as a bug rather than a feature request. (If I’m mistaken, do let me know!)
Environment/Versions:
The text was updated successfully, but these errors were encountered: