Skip to content

encoding/xml: does not check namespace constraints that do not require keeping extra state #68296

New issue
New issue
Open
Open
encoding/xml: does not check namespace constraints that do not require keeping extra state#68296
Labels
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
 
Backlog
@DemiMarie

Description

@DemiMarie
DemiMarie
opened on Jul 4, 2024

Go version

go version go1.21.11 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/user/.cache/go-build'
GOENV='/home/user/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/user/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/user/go'
GOPRIVATE=''
GOPROXY='direct'
GOROOT='/usr/lib/golang'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/lib/golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.11'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3671854511=/tmp/go-build -gno-record-gcc-switches'

What did you do?

https://go.dev/play/p/FRIvYTU13fC

What did you see happen?

encoding/xml does not reject XML with the following violations of namespace constraints:

  1. Binding a URL other than http://www.w3.org/XML/1998/namespace to the prefix xml:

    <!-- Ill-formed: cannot bind prefix xml: to a URL other than
     http://www.w3.org/XML/1998/namespace -->
<a xmlns:xml="https://example.com"/>

  2. Binding http://www.w3.org/XML/1998/namespace to a prefix other than xml:

    <!-- Ill-formed: cannot bind a prefix other than xml: to
     http://www.w3.org/XML/1998/namespace -->
<a xmlns:a="http://www.w3.org/XML/1998/namespace"/>

  3. Declaring http://www.w3.org/XML/1998/namespace as the default namespace:

    <!-- Ill-formed: cannot declare http://www.w3.org/XML/1998/namespace
     as default namespace -->
<a xmlns="http://www.w3.org/XML/1998/namespace"/>

  4. Declaring the prefix xmlns, whether it is with the correct URL http://www.w3.org/2000/xmlns/

    <!-- Ill-formed: cannot declare xmlns: prefix -->
<a xmlns:xmlns="http://www.w3.org/2000/xmlns/"/>

    or with any other URL:

    <!-- Ill-formed: cannot declare xmlns: prefix -->
<a xmlns:xmlns="https://example.com"/>

  5. Binding the URL http://www.w3.org/2000/xmlns/ to any prefix:

    <!-- Ill-formed: cannot bind a prefix to
     http://www.w3.org/2000/xmlns/ -->
<a xmlns:a="http://www.w3.org/2000/xmlns/"/>

  6. Declaring http://www.w3.org/2000/xmlns/ as the default namespace:

    <!-- Ill-formed: cannot declare http://www.w3.org/2000/xmlns/
     as default namespace -->
<a xmlns="http://www.w3.org/2000/xmlns/"/>

  7. Using xmlns as the prefix for an element:

    <!-- Ill-formed: xmlns: cannot be the prefix of an element name -->
<xmlns:a/>

  8. Undeclaring a namespace prefix by binding the empty string

    <!-- Ill-formed: cannot bind a namespace to the empty string -->
<a xmlns:a=""/>

What did you expect to see?

encoding/xml should reject these violations, whether Token or RawToken are used. Detecting these violations can be done without maintaining any additional state and without resolving prefixes to namespace URLs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions