Invalid xml:id permitted in XML documents

[jcoyne]

Please describe the bug

Nokogiri permits invalid "xml:id" attributes.

doc = Nokogiri.XML('<bad id="////"></bad>')
doc.xpath('//bad').first['id']
=> "////"

This id value is not valid according to the spec https://www.w3.org/TR/xml-id/#syntax The value of an "xml:id" attribute must an NCName (https://www.w3.org/TR/xml-names11/#NT-NCName)

I would expect that the case above ought to result in some sort of exception.

I'm very sorry... 🥲

[flavorjones]

Hey, Justin, thanks for opening this issue. It may be a day or two before I'm able to dig in, but I promise I will take a look.

[flavorjones]

Whoop, I see what's happening. You're using id and not xml:id. Here's what happens if you do that with xml:id:

#! /usr/bin/env ruby

require "nokogiri"

doc = Nokogiri.XML('<bad xml:id="////"></bad>')
doc.errors
# => [#<Nokogiri::XML::SyntaxError: 1:19: ERROR: xml:id : attribute value //// is not an NCName>]

doc.xpath('//bad').first.attributes
# => {"id"=>#<Nokogiri::XML::Attr:0x50 name="id" namespace=#<Nokogiri::XML::Namespace:0x3c prefix="xml" href="http://www.w3.org/XML/1998/namespace"> value="////">}

So, a few things to note:

• Nokogiri by default will create a SyntaxError and add it to doc#errors, and not raise an exception.
• libxml2 doesn't consider this a fatal error! Using ParseOptions::STRICT or unsetting ::RECOVER doesn't change this behavior. This is arguably a bug and Nokogiri should raise an exception anyway.
• Note that the attribute value is unchanged -- libxml2 doesn't know how to correct this, so it leaves it.

Does this answer your questions?

[flavorjones]

Going to close this, but please do comment if I haven't addressed your question in my previous post and I'm happy to reopen it.

[jcoyne]

Thanks @flavorjones. This was most helpful. Sorry for misunderstanding the spec.