Escape regex char in entity name

amitguptagwl · amitguptagwl · commit ddcd0acf26dd · 2026-02-08T16:19:48.000+05:30
diff --git a/src/v6/EntitiesParser.js b/src/v6/EntitiesParser.js
@@ -37,12 +37,13 @@ export default class EntitiesParser{
     }
     addExternalEntity(key,val){
       validateEntityName(key);
+      const escaped = key.replace(/[.\-+*:]/g, '\\.');
       if(val.indexOf("&") !== -1) {
         reportWarning(`Entity ${key} is not added as '&' is found in value;`)
         return;
       }else{
-        this.lastEntities[ent] = {
-          regex: new RegExp("&"+key+";","g"),
+        this.lastEntities[key] = {
+          regex: new RegExp("&"+escaped+";","g"),
           val : val
         }
       }
@@ -52,8 +53,9 @@ export default class EntitiesParser{
         const entKeys = Object.keys(entities);
         for (let i = 0; i < entKeys.length; i++) {
           const ent = entKeys[i];
+          const escaped = ent.replace(/[.\-+*:]/g, '\\.');
           this.docTypeEntities[ent] = {
-             regex: new RegExp("&"+ent+";","g"),
+             regex: new RegExp("&"+escaped+";","g"),
              val : entities[ent]
           }
         }
@@ -89,11 +91,11 @@ export default class EntitiesParser{
         }
         return val;
     }
-};
+}
 
 //an entity name should not contains special characters that may be used in regex
 //Eg !?\\\/[]$%{}^&*()<>
-const specialChar = "!?\\\/[]$%{}^&*()<>|+";
+const specialChar = "!?\\/[]$%{}^&*()<>|+";
 
 function validateEntityName(name){
     for (let i = 0; i < specialChar.length; i++) {
diff --git a/src/xmlparser/DocTypeReader.js b/src/xmlparser/DocTypeReader.js
@@ -25,11 +25,13 @@ export default class DocTypeReader{
                         i += 7; 
                         let entityName, val;
                         [entityName, val,i] = this.readEntityExp(xmlData,i+1,this.suppressValidationErr);
-                        if(val.indexOf("&") === -1) //Parameter entities are not supported
+                        if(val.indexOf("&") === -1){ //Parameter entities are not supported
+                            const escaped = entityName.replace(/[.\-+*:]/g, '\\.');
                             entities[ entityName ] = {
-                                regx : RegExp( `&${entityName};`,"g"),
+                                regx : RegExp( `&${escaped};`,"g"),
                                 val: val
                             };
+                        }
                     }
                     else if( hasBody && hasSeq(xmlData, "!ELEMENT",i))  {
                         i += 8;//Not supported

Original file line number	Diff line number	Diff line change
`@@ -37,12 +37,13 @@ export default class EntitiesParser{`
`37`	`37`	`}`
`38`	`38`	`addExternalEntity(key,val){`
`39`	`39`	`validateEntityName(key);`
	`40`	`+ const escaped = key.replace(/[.\-+*:]/g, '\\.');`
`40`	`41`	`if(val.indexOf("&") !== -1) {`
`41`	`42`	reportWarning(`Entity ${key} is not added as '&' is found in value;`)
`42`	`43`	`return;`
`43`	`44`	`}else{`
`44`		`- this.lastEntities[ent] = {`
`45`		`- regex: new RegExp("&"+key+";","g"),`
	`45`	`+ this.lastEntities[key] = {`
	`46`	`+ regex: new RegExp("&"+escaped+";","g"),`
`46`	`47`	`val : val`
`47`	`48`	`}`
`48`	`49`	`}`
`@@ -52,8 +53,9 @@ export default class EntitiesParser{`
`52`	`53`	`const entKeys = Object.keys(entities);`
`53`	`54`	`for (let i = 0; i < entKeys.length; i++) {`
`54`	`55`	`const ent = entKeys[i];`
	`56`	`+ const escaped = ent.replace(/[.\-+*:]/g, '\\.');`
`55`	`57`	`this.docTypeEntities[ent] = {`
`56`		`- regex: new RegExp("&"+ent+";","g"),`
	`58`	`+ regex: new RegExp("&"+escaped+";","g"),`
`57`	`59`	`val : entities[ent]`
`58`	`60`	`}`
`59`	`61`	`}`
`@@ -89,11 +91,11 @@ export default class EntitiesParser{`
`89`	`91`	`}`
`90`	`92`	`return val;`
`91`	`93`	`}`
`92`		`-};`
	`94`	`+}`
`93`	`95`
`94`	`96`	`//an entity name should not contains special characters that may be used in regex`
`95`	`97`	`//Eg !?\\\/[]$%{}^&*()<>`
`96`		`-const specialChar = "!?\\\/[]$%{}^&*()<>\|+";`
	`98`	`+const specialChar = "!?\\/[]$%{}^&*()<>\|+";`
`97`	`99`
`98`	`100`	`function validateEntityName(name){`
`99`	`101`	`for (let i = 0; i < specialChar.length; i++) {`