Merge pull request #150 from ehoogerbeets/master

Support asymmetric sanitization to compensate for node-expat's problems

Author: c4milo

lib/json2xml.js

@@ -76,7 +76,7 @@ ToXml.prototype.openTag = function(key) {
 }
 ToXml.prototype.addAttr = function(key, val) {
     if (this.options.sanitize) {
-        val = sanitizer.sanitize(val);
+        val = sanitizer.sanitize(val, false, true);
     }
     this.xml += ' ' + key + '="' + val + '"';
 }

lib/sanitize.js

@@ -12,13 +12,30 @@
  *      "       "
  *      '       '
  */
-var chars = {
+// used for body text
+var charsEscape = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;'
+};
+
+var charsUnescape = {
+    '&amp;': '&',
+    '&#35;': '#',
+    '&lt;': '<',
+    '&gt;': '>',
+    '&#40;': '(',
+    '&#41;': ')',
+    '&quot;': '"',
+    '&apos;': "'",
+    "&#31;": "\u001F"
+};
+
+// used in attribute values
+var charsAttrEscape = {
     '&': '&amp;',
-    '#': '&#35;',
     '<': '&lt;',
     '>': '&gt;',
-    '(': '&#40;',
-    ')': '&#41;',
     '"': '&quot;',
     "'": '&apos;'
 };
@@ -27,17 +44,17 @@ function escapeRegExp(string) {
     return string.replace(/([.*+?^=!:${}()|\[\]\/\\])/g, "\\$1");
 }
 
-exports.sanitize = function sanitize(value, reverse) {
+// sanitize body text
+exports.sanitize = function sanitize(value, reverse, attribute) {
     if (typeof value !== 'string') {
         return value;
     }
 
-    Object.keys(chars).forEach(function(key) {
-        if (reverse) {
-            value = value.replace(new RegExp(escapeRegExp(chars[key]), 'g'), key);
-        } else {
-            value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
-        }
+    var chars = reverse ? charsUnescape : (attribute ? charsAttrEscape : charsEscape);
+    var keys = Object.keys(chars);
+    
+    keys.forEach(function(key) {
+        value = value.replace(new RegExp(escapeRegExp(key), 'g'), chars[key]);
     });
 
     return value;

lib/xml2json.js

@@ -60,6 +60,7 @@ function endElement(name) {
             currentObject[textNodeName()] = currentObject[textNodeName()].trim()
         }
 
+        // node-expat already reverse sanitizes it whether we like it or not
         //if (options.sanitize) {
         //    currentObject[textNodeName()] = sanitizer.sanitize(currentObject[textNodeName()], true);
         //}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "xml2json",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "Converts xml to json and vice-versa, using node-expat.",
   "repository": "git://github.com/buglabs/node-xml2json.git",
   "license": "MIT",

test/fixtures/xmlsanitize.json

@@ -1 +1 @@
-{"e":{"a":{"b":"Smith & Son","$t":"Movers & <b>Shakers</b> Extraordinaire"}}}
+{"e":{"a":{"b":"<\"Smith\" & 'Son'>","$t":"Movers & <b>Shakers</b> Extraordinaire #()\"'"}}}

test/fixtures/xmlsanitize.xml

@@ -1 +1 @@
-<e><a b="Smith &amp; Son">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire</a></e>
+<e><a b="&lt;&quot;Smith&quot; &amp; &apos;Son&apos;&gt;">Movers &amp; &lt;b&gt;Shakers&lt;/b&gt; Extraordinaire #()"'</a></e>