Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request from GHSA-h6q6-9hqw-rwfv
* fix!: Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.) https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration) Co-authored-by: Christian Bewernitz <email@example.com> Co-authored-by: Chris Brody <firstname.lastname@example.org> * feat(security): Improve error reporting; throw on duplicate attribute BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it is also safer for our users to fail when detecting them. It is possible to configure the `DOMParser.errorHandler` before parsing, to handle those errors differently. To accomplish this and also be able to verify it in tests we needed to: - create a new `Error` type `ParseError` and export it - Throw `ParseError` from `errorHandler.fatalError` and prevent those from being caught in `XMLReader`. - export `DOMHandler` constructor as `__DOMHandler` Co-authored-by: Christian Bewernitz <email@example.com> Co-authored-by: Chris Brody <firstname.lastname@example.org> Co-authored-by: Christian Bewernitz <email@example.com>
- Loading branch information
Showing with 1,190 additions and 134 deletions.
- +5 −3 lib/dom-parser.js
- +4 −4 lib/dom.js
- +45 −23 lib/sax.js
- +501 −0 test/error/__snapshots__/reported-levels.test.js.snap
- +17 −16 test/error/__snapshots__/xml-error.test.js.snap
- +51 −0 test/error/error-handler.test.js
- +0 −83 test/error/error.test.js
- +106 −0 test/error/reported-levels.test.js
- +243 −0 test/error/reported.js
- +140 −0 test/error/xml-reader-dom-handler-errors.test.js
- +8 −4 test/html/__snapshots__/normalize.test.js.snap
- +27 −0 test/parse/doctype.test.js
- +38 −0 test/parse/parse-error.test.js
- +5 −1 test/xmltest/__snapshots__/not-wf.test.js.snap
There are no files selected for viewing
Oops, something went wrong.