Validator: Fail for stray ampersand characters (#215)

orgads · amitguptagwl · commit a8ccdb9eb5f2 · 2019-12-24T18:10:19.000+05:30
* Introduce a helper function for simplifying the tests The following: const xmlData = '<name length="bar" length="baz"></name>'; var expected = { code: 'InvalidAttr', msg: "Attribute 'length' is repeated.", line: 1 } var result = validator.validate(xmlData).err; expect(result).toEqual(expected); Can be replaced by: validate('<name length="bar" length="baz"></name>', { InvalidAttr: "Attribute 'length' is repeated." } * Validator: Fail for stray ampersand characters Fixes #214
diff --git a/spec/validator_spec.js b/spec/validator_spec.js
@@ -2,6 +2,20 @@
 
 const validator = require("../src/validator");
 
+function validate(xmlData, error, line = 1) {
+    const result = validator.validate(xmlData);
+    if (error) {
+        const expected = {
+            code: Object.keys(error)[0],
+            msg: Object.values(error)[0],
+            line
+        };
+        expect(result.err).toEqual(expected);
+    } else {
+        expect(result).toBe(true);
+    }
+}
+
 describe("XMLParser", function () {
     it("should validate simple xml string", function () {
         let xmlData = "<rootNode></rootNode>";
@@ -511,6 +525,23 @@ attribute2="attribute2"
         var result = validator.validate(xmlData).err;
         expect(result).toEqual(expected);
     });
+
+    it('should validate value with ampersand', function () {
+        const error = {
+            InvalidChar: "char '&' is not expected."
+        };
+        validate('<rootNode>jekyll &amp; hyde</rootNode>');
+        validate('<rootNode>jekyll &#123; hyde</rootNode>');
+        validate('<rootNode>jekyll &#x1945abcdef; hyde</rootNode>');
+        validate('<rootNode>jekyll &#x1ah; hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#1a; hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#123 hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#1abcd hyde</rootNode>', error);
+        validate('<rootNode>jekyll & hyde</rootNode>', error);
+        validate('<rootNode>jekyll &aa</rootNode>', error);
+        validate('<rootNode>jekyll &abcdefghij1234567890;</rootNode>');
+        validate('<rootNode>jekyll &abcdefghij1234567890a;</rootNode>', error); // limit to 20 chars
+    });
 });
 
 describe("should not validate XML documents with multiple root nodes", () => {
diff --git a/src/validator.js b/src/validator.js
@@ -155,6 +155,11 @@ exports.validate = function (xmlData, options) {
             } else {
               break;
             }
+          } else if (xmlData[i] === '&') {
+            const afterAmp = validateAmpersand(xmlData, i);
+            if (afterAmp == -1)
+              return getErrorObject('InvalidChar', `char '&' is not expected.`, getLineNumberForPosition(xmlData, i));
+            i = afterAmp;
           }
         } //end of reading tag text value
         if (xmlData[i] === '<') {
@@ -332,6 +337,41 @@ function validateAttributeString(attrStr, options, regxAttrName) {
   return true;
 }
 
+function validateNumberAmpersand(xmlData, i) {
+  let re = /\d/;
+  if (xmlData[i] === 'x') {
+    i++;
+    re = /[\da-fA-F]/;
+  }
+  for (; i < xmlData.length; i++) {
+    if (xmlData[i] === ';')
+      return i;
+    if (!xmlData[i].match(re))
+      break;
+  }
+  return -1;
+}
+
+function validateAmpersand(xmlData, i) {
+  // https://www.w3.org/TR/xml/#dt-charref
+  i++;
+  if (xmlData[i] === ';')
+    return -1;
+  if (xmlData[i] === '#') {
+    i++;
+    return validateNumberAmpersand(xmlData, i);
+  }
+  let count = 0;
+  for (; i < xmlData.length; i++, count++) {
+    if (xmlData[i].match(/\w/) && count < 20)
+      continue;
+    if (xmlData[i] === ';')
+      break;
+    return -1;
+  }
+  return i;
+}
+
 function getErrorObject(code, message, lineNumber) {
   return {
     err: {
