diff --git a/.socket/blob/25323f5a8329402ddd5b12690919aedfb91f5fd98e18931ea1a6d73ca4ec8d4c b/.socket/blob/25323f5a8329402ddd5b12690919aedfb91f5fd98e18931ea1a6d73ca4ec8d4c new file mode 100644 index 0000000..807180d --- /dev/null +++ b/.socket/blob/25323f5a8329402ddd5b12690919aedfb91f5fd98e18931ea1a6d73ca4ec8d4c @@ -0,0 +1,8 @@ +// Socket Community Patch: https://socket.dev +// Date: Mon, 16 Mar 2026 22:23:23 GMT +// For more information see https://socket.dev/patch/66ab43a3-7f62-4fcb-bd27-330b23591c44 +// This file includes modifications made by Socket, Inc. on Mon, 16 Mar 2026; these modifications are called the "Patch". In some cases, Socket may be required to make the Patch available to you under specific terms, or may be prohibited from restricting certain rights you may have. For example, the terms of another applicable license may require Socket to make the Patch available under specific terms. In those cases, the Patch is made available to you under the required terms, and Socket does not seek to restrict your rights relative to the Patch where prohibited. In all other cases, the Patch is available to you exclusively under the PolyForm Shield License 1.0.0 (https://polyformproject.org/licenses/shield/1.0.0/). The Patch was distributed by Socket with additional information concerning licensing, attribution, and limitation of liability which may be relevant to you and your use of the Patch. As far as the law allows, the Patch and the software including the patch come as is, without any warranty or condition, and Socket will not be liable to you for any damages arising out of the applicable license terms or the use or nature of the Patch or the software including the patch, under any kind of legal claim. +// Original License: MIT + +!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.fxp=e():t.fxp=e()}(this,(()=>(()=>{"use strict";var t={d:(e,r)=>{for(var i in r)t.o(r,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:r[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>pt,XMLParser:()=>at,XMLValidator:()=>mt});var r=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+r+"]["+r+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function n(t,e){for(var r=[],i=e.exec(t);i;){var n=[];n.startIndex=e.lastIndex-i[0].length;for(var a=i.length,s=0;s"!==t[o]&&" "!==t[o]&&"\t"!==t[o]&&"\n"!==t[o]&&"\r"!==t[o];o++)g+=t[o];if("/"===(g=g.trim())[g.length-1]&&(g=g.substring(0,g.length-1),o--),!a(g))return m("InvalidTag",0===g.trim().length?"Invalid space after '<'.":"Tag '"+g+"' is an invalid name.",b(t,o));var x=p(t,o);if(!1===x)return m("InvalidAttr","Attributes for '"+g+"' have open quote.",b(t,o));var N=x.value;if(o=x.index,"/"===N[N.length-1]){var E=o-N.length,y=c(N=N.substring(0,N.length-1),e);if(!0!==y)return m(y.err.code,y.err.msg,b(t,E+y.err.line));i=!0}else if(d){if(!x.tagClosed)return m("InvalidTag","Closing tag '"+g+"' doesn't have proper closing.",b(t,o));if(N.trim().length>0)return m("InvalidTag","Closing tag '"+g+"' can't have attributes or invalid starting.",b(t,f));if(0===r.length)return m("InvalidTag","Closing tag '"+g+"' has not been opened.",b(t,f));var T=r.pop();if(g!==T.tagName){var w=b(t,T.tagStartPos);return m("InvalidTag","Expected closing tag '"+T.tagName+"' (opened in line "+w.line+", col "+w.col+") instead of closing tag '"+g+"'.",b(t,f))}0==r.length&&(n=!0)}else{var P=c(N,e);if(!0!==P)return m(P.err.code,P.err.msg,b(t,o-N.length+P.err.line));if(!0===n)return m("InvalidXml","Multiple possible root nodes found.",b(t,o));-1!==e.unpairedTags.indexOf(g)||r.push({tagName:g,tagStartPos:f}),i=!0}for(o++;o0)||m("InvalidXml","Invalid '"+JSON.stringify(r.map((function(t){return t.tagName})),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):m("InvalidXml","Start tag expected.",1)}function u(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function l(t,e){for(var r=e;e5&&"xml"===i)return m("InvalidXml","XML declaration allowed only at the start of the document.",b(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}}return e}function h(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){var r=1;for(e+=8;e"===t[e]&&0==--r)break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}var f='"',d="'";function p(t,e){for(var r="",i="",n=!1;e"===t[e]&&""===i){n=!0;break}r+=t[e]}return""===i&&{value:r,index:e,tagClosed:n}}var g=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function c(t,e){for(var r=n(t,g),i={},a=0;a0?this.child.push(((r={})[t.tagname]=t.child,r[":@"]=t[":@"],r)):this.child.push(((i={})[t.tagname]=t.child,i)),void 0!==e&&(this.child[this.child.length-1][E]={startIndex:e})},t.getMetaDataSymbol=function(){return E},t}();function w(t,e){var r={};if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");e+=9;for(var i=1,n=!1,a=!1;e"===t[e]){if(a?"-"===t[e-1]&&"-"===t[e-2]&&(a=!1,i--):i--,0===i)break}else"["===t[e]?n=!0:t[e];else{if(n&&C(t,"!ENTITY",e)){var s,o=void 0,u=A(t,(e+=7)+1);s=u[0],o=u[1],e=u[2],-1===o.indexOf("&")&&(r[s]={regx:RegExp("&"+s.replace(/[.\-+*:]/g,"\\.")+";","g"),val:o})}else if(n&&C(t,"!ELEMENT",e))e=S(t,(e+=8)+1).index;else if(n&&C(t,"!ATTLIST",e))e+=8;else if(n&&C(t,"!NOTATION",e))e=O(t,(e+=9)+1).index;else{if(!C(t,"!--",e))throw new Error("Invalid DOCTYPE");a=!0}i++}if(0!==i)throw new Error("Unclosed DOCTYPE");return{entities:r,i:e}}var P=function(t,e){for(;et.length)&&(e=t.length);for(var r=0,i=Array(e);r=t.length?{done:!0}:{done:!1,value:t[i++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}(t);!(r=i()).done;){var n=r.value;if("string"==typeof n&&e===n)return!0;if(n instanceof RegExp&&n.test(e))return!0}}:function(){return!1}}var L=function(t){this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.docTypeEntities={},this.lastEntities={apos:{regex:/&(apos|#39|#x27);/g,val:"'"},gt:{regex:/&(gt|#62|#x3E);/g,val:">"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:function(t,e){return String.fromCodePoint(Number.parseInt(e,10))}},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:function(t,e){return String.fromCodePoint(Number.parseInt(e,16))}}},this.addExternalEntities=B,this.parseXml=R,this.parseTextData=U,this.resolveNameSpace=G,this.buildAttributesMap=Y,this.isItStopNode=W,this.replaceEntitiesValue=q,this.readStopNodeData=H,this.saveTextToParentTag=Z,this.addChild=$,this.ignoreAttributesFn=F(this.options.ignoreAttributes)};function B(t){for(var e=Object.keys(t),r=0;r0)){s||(t=this.replaceEntitiesValue(t));var o=this.options.tagValueProcessor(e,t,r,n,a);return null==o?t:typeof o!=typeof t||o!==t?o:this.options.trimValues||t.trim()===t?K(t,this.options.parseTagValue,this.options.numberParseOptions):t}}function G(t){if(this.options.removeNSPrefix){var e=t.split(":"),r="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=r+e[1])}return t}var X=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function Y(t,e,r){if(!0!==this.options.ignoreAttributes&&"string"==typeof t){for(var i=n(t,X),a=i.length,s={},o=0;o",a,"Closing Tag is not closed."),o=t.substring(a+2,s).trim();if(this.options.removeNSPrefix){var u=o.indexOf(":");-1!==u&&(o=o.substr(u+1))}this.options.transformTagName&&(o=this.options.transformTagName(o)),r&&(i=this.saveTextToParentTag(i,r,n));var l=n.substring(n.lastIndexOf(".")+1);if(o&&-1!==this.options.unpairedTags.indexOf(o))throw new Error("Unpaired tag can not be used as closing tag: ");var h=0;l&&-1!==this.options.unpairedTags.indexOf(l)?(h=n.lastIndexOf(".",n.lastIndexOf(".")-1),this.tagsNodeStack.pop()):h=n.lastIndexOf("."),n=n.substring(0,h),r=this.tagsNodeStack.pop(),i="",a=s}else if("?"===t[a+1]){var f=J(t,a,!1,"?>");if(!f)throw new Error("Pi Tag is not closed.");if(i=this.saveTextToParentTag(i,r,n),this.options.ignoreDeclaration&&"?xml"===f.tagName||this.options.ignorePiTags);else{var d=new T(f.tagName);d.add(this.options.textNodeName,""),f.tagName!==f.tagExp&&f.attrExpPresent&&(d[":@"]=this.buildAttributesMap(f.tagExp,n,f.tagName)),this.addChild(r,d,n,a)}a=f.closeIndex+1}else if("!--"===t.substr(a+1,3)){var p=z(t,"--\x3e",a+4,"Comment is not closed.");if(this.options.commentPropName){var g,c=t.substring(a+4,p-2);i=this.saveTextToParentTag(i,r,n),r.add(this.options.commentPropName,[(g={},g[this.options.textNodeName]=c,g)])}a=p}else if("!D"===t.substr(a+1,2)){var v=w(t,a);this.docTypeEntities=v.entities,a=v.i}else if("!["===t.substr(a+1,2)){var m=z(t,"]]>",a,"CDATA is not closed.")-2,x=t.substring(a+9,m);i=this.saveTextToParentTag(i,r,n);var b,N=this.parseTextData(x,r.tagname,n,!0,!1,!0,!0);null==N&&(N=""),this.options.cdataPropName?r.add(this.options.cdataPropName,[(b={},b[this.options.textNodeName]=x,b)]):r.add(this.options.textNodeName,N),a=m+2}else{var E=J(t,a,this.options.removeNSPrefix),y=E.tagName,P=E.rawTagName,A=E.tagExp,O=E.attrExpPresent,I=E.closeIndex;this.options.transformTagName&&(y=this.options.transformTagName(y)),r&&i&&"!xml"!==r.tagname&&(i=this.saveTextToParentTag(i,r,n,!1));var S=r;S&&-1!==this.options.unpairedTags.indexOf(S.tagname)&&(r=this.tagsNodeStack.pop(),n=n.substring(0,n.lastIndexOf("."))),y!==e.tagname&&(n+=n?"."+y:y);var C=a;if(this.isItStopNode(this.options.stopNodes,n,y)){var j="";if(A.length>0&&A.lastIndexOf("/")===A.length-1)"/"===y[y.length-1]?(y=y.substr(0,y.length-1),n=n.substr(0,n.length-1),A=y):A=A.substr(0,A.length-1),a=E.closeIndex;else if(-1!==this.options.unpairedTags.indexOf(y))a=E.closeIndex;else{var D=this.readStopNodeData(t,P,I+1);if(!D)throw new Error("Unexpected end of "+P);a=D.i,j=D.tagContent}var V=new T(y);y!==A&&O&&(V[":@"]=this.buildAttributesMap(A,n,y)),j&&(j=this.parseTextData(j,y,n,!0,O,!0,!0)),n=n.substr(0,n.lastIndexOf(".")),V.add(this.options.textNodeName,j),this.addChild(r,V,n,C)}else{if(A.length>0&&A.lastIndexOf("/")===A.length-1){"/"===y[y.length-1]?(y=y.substr(0,y.length-1),n=n.substr(0,n.length-1),A=y):A=A.substr(0,A.length-1),this.options.transformTagName&&(y=this.options.transformTagName(y));var M=new T(y);y!==A&&O&&(M[":@"]=this.buildAttributesMap(A,n,y)),this.addChild(r,M,n,C),n=n.substr(0,n.lastIndexOf("."))}else{var _=new T(y);this.tagsNodeStack.push(r),y!==A&&O&&(_[":@"]=this.buildAttributesMap(A,n,y)),this.addChild(r,_,n,C),r=_}i="",a=I}}else i+=t[a];return e.child};function $(t,e,r,i){this.options.captureMetaData||(i=void 0);var n=this.options.updateTag(e.tagname,r,e[":@"]);!1===n||("string"==typeof n?(e.tagname=n,t.addChild(e,i)):t.addChild(e,i))}var q=function(t){if(this.options.processEntities){for(var e in this.docTypeEntities){var r=this.docTypeEntities[e];t=t.replace(r.regx,r.val)}for(var i in this.lastEntities){var n=this.lastEntities[i];t=t.replace(n.regex,n.val)}if(this.options.htmlEntities)for(var a in this.htmlEntities){var s=this.htmlEntities[a];t=t.replace(s.regex,s.val)}t=t.replace(this.ampEntity.regex,this.ampEntity.val)}return t};function Z(t,e,r,i){return t&&(void 0===i&&(i=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,r,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,i))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function W(t,e,r){var i="*."+r;for(var n in t){var a=t[n];if(i===a||e===a)return!0}return!1}function z(t,e,r,i){var n=t.indexOf(e,r);if(-1===n)throw new Error(i);return n+e.length-1}function J(t,e,r,i){void 0===i&&(i=">");var n=function(t,e,r){var i;void 0===r&&(r=">");for(var n="",a=e;a",r,e+" is not closed");if(t.substring(r+2,a).trim()===e&&0==--n)return{tagContent:t.substring(i,r),i:a};r=a}else if("?"===t[r+1])r=z(t,"?>",r+1,"StopNode is not closed.");else if("!--"===t.substr(r+1,3))r=z(t,"--\x3e",r+3,"StopNode is not closed.");else if("!["===t.substr(r+1,2))r=z(t,"]]>",r,"StopNode is not closed.")-2;else{var s=J(t,r,">");s&&((s&&s.tagName)===e&&"/"!==s.tagExp[s.tagExp.length-1]&&n++,r=s.closeIndex)}}function K(t,e,r){if(e&&"string"==typeof t){var i=t.trim();return"true"===i||"false"!==i&&function(t,e={}){if(e=Object.assign({},M,e),!t||"string"!=typeof t)return t;let r=t.trim();if(void 0!==e.skipLike&&e.skipLike.test(r))return t;if("0"===t)return 0;if(e.hex&&D.test(r))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(r);if(-1!==r.search(/.+[eE].+/))return function(t,e,r){if(!r.eNotation)return t;const i=e.match(_);if(i){let n=i[1]||"";const a=-1===i[3].indexOf("e")?"E":"e",s=i[2],o=n?t[s.length+1]===a:t[s.length]===a;return s.length>1&&o?t:1!==s.length||!i[3].startsWith(`.${a}`)&&i[3][0]!==a?r.leadingZeros&&!o?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,r,e);{const n=V.exec(r);if(n){const a=n[1]||"",s=n[2];let o=(i=n[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const u=a?"."===t[s.length+1]:"."===t[s.length];if(!e.leadingZeros&&(s.length>1||1===s.length&&!u))return t;{const i=Number(r),n=String(i);if(0===i||-0===i)return i;if(-1!==n.search(/[eE]/))return e.eNotation?i:t;if(-1!==r.indexOf("."))return"0"===n||n===o||n===`${a}${o}`?i:t;let u=s?o:r;return s?u===n||a+u===n?i:t:u===n||u===a+n?i:t}}return t}var i}(t,r)}return void 0!==t?t:""}var Q=T.getMetaDataSymbol();function tt(t,e){return et(t,e)}function et(t,e,r){for(var i,n={},a=0;a0&&(n[e.textNodeName]=i):void 0!==i&&(n[e.textNodeName]=i),n}function rt(t){for(var e=Object.keys(t),r=0;r0&&(r="\n"),ot(t,e,"",r)}function ot(t,e,r,i){for(var n="",a=!1,s=0;s":n+=f+"/>":d&&0!==d.length||!e.suppressEmptyNode?d&&d.endsWith(">")?n+=f+">"+d+i+"":(n+=f+">",d&&""!==i&&(d.includes("/>")||d.includes(""):n+=f+"/>",a=!0}else{var p=lt(o[":@"],e),g="?xml"===u?"":i,c=o[u][0][e.textNodeName];n+=g+"<"+u+(c=0!==c.length?" "+c:"")+p+"?>",a=!0}else n+=i+"\x3c!--"+o[u][0][e.textNodeName]+"--\x3e",a=!0;else a&&(n+=i),n+="",a=!1;else{var v=o[u];ht(l,e)||(v=ft(v=e.tagValueProcessor(u,v),e)),a&&(n+=i),n+=v,a=!1}}}return n}function ut(t){for(var e=Object.keys(t),r=0;r0&&e.processEntities)for(var r=0;r","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1};function pt(t){this.options=Object.assign({},dt,t),!0===this.options.ignoreAttributes||this.options.attributesGroupName?this.isAttribute=function(){return!1}:(this.ignoreAttributesFn=F(this.options.ignoreAttributes),this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=vt),this.processTextOrObjNode=gt,this.options.format?(this.indentate=ct,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function gt(t,e,r,i){var n=this.j2x(t,r+1,i.concat(e));return void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,n.attrStr,r):this.buildObjectNode(n.val,e,n.attrStr,r)}function ct(t){return this.options.indentBy.repeat(t)}function vt(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}pt.prototype.build=function(t){return this.options.preserveOrder?st(t,this.options):(Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&((e={})[this.options.arrayNodeName]=t,t=e),this.j2x(t,0,[]).val);var e},pt.prototype.j2x=function(t,e,r){var i="",n="",a=r.join(".");for(var s in t)if(Object.prototype.hasOwnProperty.call(t,s))if(void 0===t[s])this.isAttribute(s)&&(n+="");else if(null===t[s])this.isAttribute(s)||s===this.options.cdataPropName?n+="":"?"===s[0]?n+=this.indentate(e)+"<"+s+"?"+this.tagEndChar:n+=this.indentate(e)+"<"+s+"/"+this.tagEndChar;else if(t[s]instanceof Date)n+=this.buildTextValNode(t[s],s,"",e);else if("object"!=typeof t[s]){var o=this.isAttribute(s);if(o&&!this.ignoreAttributesFn(o,a))i+=this.buildAttrPairStr(o,""+t[s]);else if(!o)if(s===this.options.textNodeName){var u=this.options.tagValueProcessor(s,""+t[s]);n+=this.replaceEntitiesValue(u)}else n+=this.buildTextValNode(t[s],s,"",e)}else if(Array.isArray(t[s])){for(var l=t[s].length,h="",f="",d=0;d"+t+n},pt.prototype.closeTag=function(t){var e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":">"+this.newLine;if(!1!==this.options.commentPropName&&e===this.options.commentPropName)return this.indentate(i)+"\x3c!--"+t+"--\x3e"+this.newLine;if("?"===e[0])return this.indentate(i)+"<"+e+r+"?"+this.tagEndChar;var n=this.options.tagValueProcessor(e,t);return""===(n=this.replaceEntitiesValue(n))?this.indentate(i)+"<"+e+r+this.closeTag(e)+this.tagEndChar:this.indentate(i)+"<"+e+r+">"+n+"0&&this.options.processEntities)for(var e=0;e{"use strict";var t={d:(e,n)=>{for(var i in n)t.o(n,i)&&!t.o(e,i)&&Object.defineProperty(e,i,{enumerable:!0,get:n[i]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{XMLBuilder:()=>ft,XMLParser:()=>st,XMLValidator:()=>mt});const n=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+n+"]["+n+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function s(t,e){const n=[];let i=e.exec(t);for(;i;){const s=[];s.startIndex=e.lastIndex-i[0].length;const r=i.length;for(let t=0;t"!==t[o]&&" "!==t[o]&&"\t"!==t[o]&&"\n"!==t[o]&&"\r"!==t[o];o++)f+=t[o];if(f=f.trim(),"/"===f[f.length-1]&&(f=f.substring(0,f.length-1),o--),!r(f)){let e;return e=0===f.trim().length?"Invalid space after '<'.":"Tag '"+f+"' is an invalid name.",x("InvalidTag",e,N(t,o))}const p=c(t,o);if(!1===p)return x("InvalidAttr","Attributes for '"+f+"' have open quote.",N(t,o));let b=p.value;if(o=p.index,"/"===b[b.length-1]){const n=o-b.length;b=b.substring(0,b.length-1);const s=g(b,e);if(!0!==s)return x(s.err.code,s.err.msg,N(t,n+s.err.line));i=!0}else if(d){if(!p.tagClosed)return x("InvalidTag","Closing tag '"+f+"' doesn't have proper closing.",N(t,o));if(b.trim().length>0)return x("InvalidTag","Closing tag '"+f+"' can't have attributes or invalid starting.",N(t,a));if(0===n.length)return x("InvalidTag","Closing tag '"+f+"' has not been opened.",N(t,a));{const e=n.pop();if(f!==e.tagName){let n=N(t,e.tagStartPos);return x("InvalidTag","Expected closing tag '"+e.tagName+"' (opened in line "+n.line+", col "+n.col+") instead of closing tag '"+f+"'.",N(t,a))}0==n.length&&(s=!0)}}else{const r=g(b,e);if(!0!==r)return x(r.err.code,r.err.msg,N(t,o-b.length+r.err.line));if(!0===s)return x("InvalidXml","Multiple possible root nodes found.",N(t,o));-1!==e.unpairedTags.indexOf(f)||n.push({tagName:f,tagStartPos:a}),i=!0}for(o++;o0)||x("InvalidXml","Invalid '"+JSON.stringify(n.map((t=>t.tagName)),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):x("InvalidXml","Start tag expected.",1)}function l(t){return" "===t||"\t"===t||"\n"===t||"\r"===t}function u(t,e){const n=e;for(;e5&&"xml"===i)return x("InvalidXml","XML declaration allowed only at the start of the document.",N(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}}return e}function h(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){let n=1;for(e+=8;e"===t[e]&&(n--,0===n))break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}const d='"',f="'";function c(t,e){let n="",i="",s=!1;for(;e"===t[e]&&""===i){s=!0;break}n+=t[e]}return""===i&&{value:n,index:e,tagClosed:s}}const p=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function g(t,e){const n=s(t,p),i={};for(let t=0;t!1,commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,n){return t},captureMetaData:!1};let y;y="function"!=typeof Symbol?"@@xmlMetadata":Symbol("XML Node Metadata");class T{constructor(t){this.tagname=t,this.child=[],this[":@"]={}}add(t,e){"__proto__"===t&&(t="#__proto__"),this.child.push({[t]:e})}addChild(t,e){"__proto__"===t.tagname&&(t.tagname="#__proto__"),t[":@"]&&Object.keys(t[":@"]).length>0?this.child.push({[t.tagname]:t.child,":@":t[":@"]}):this.child.push({[t.tagname]:t.child}),void 0!==e&&(this.child[this.child.length-1][y]={startIndex:e})}static getMetaDataSymbol(){return y}}function w(t,e){const n={};if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");{e+=9;let i=1,s=!1,r=!1,o="";for(;e"===t[e]){if(r?"-"===t[e-1]&&"-"===t[e-2]&&(r=!1,i--):i--,0===i)break}else"["===t[e]?s=!0:o+=t[e];else{if(s&&C(t,"!ENTITY",e)){let i,s;e+=7,[i,s,e]=O(t,e+1),-1===s.indexOf("&")&&(n[i]={regx:RegExp("&"+i.replace(/[.\-+*:]/g,"\\.")+";","g"),val:s})}else if(s&&C(t,"!ELEMENT",e)){e+=8;const{index:n}=S(t,e+1);e=n}else if(s&&C(t,"!ATTLIST",e))e+=8;else if(s&&C(t,"!NOTATION",e)){e+=9;const{index:n}=A(t,e+1);e=n}else{if(!C(t,"!--",e))throw new Error("Invalid DOCTYPE");r=!0}i++,o=""}if(0!==i)throw new Error("Unclosed DOCTYPE")}return{entities:n,i:e}}const P=(t,e)=>{for(;e{for(const n of t){if("string"==typeof n&&e===n)return!0;if(n instanceof RegExp&&n.test(e))return!0}}:()=>!1}class k{constructor(t){this.options=t,this.currentNode=null,this.tagsNodeStack=[],this.docTypeEntities={},this.lastEntities={apos:{regex:/&(apos|#39|#x27);/g,val:"'"},gt:{regex:/&(gt|#62|#x3E);/g,val:">"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:(t,e)=>String.fromCodePoint(Number.parseInt(e,10))},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:(t,e)=>String.fromCodePoint(Number.parseInt(e,16))}},this.addExternalEntities=F,this.parseXml=X,this.parseTextData=L,this.resolveNameSpace=B,this.buildAttributesMap=G,this.isItStopNode=Z,this.replaceEntitiesValue=R,this.readStopNodeData=J,this.saveTextToParentTag=q,this.addChild=Y,this.ignoreAttributesFn=_(this.options.ignoreAttributes)}}function F(t){const e=Object.keys(t);for(let n=0;n0)){o||(t=this.replaceEntitiesValue(t));const i=this.options.tagValueProcessor(e,t,n,s,r);return null==i?t:typeof i!=typeof t||i!==t?i:this.options.trimValues||t.trim()===t?H(t,this.options.parseTagValue,this.options.numberParseOptions):t}}function B(t){if(this.options.removeNSPrefix){const e=t.split(":"),n="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=n+e[1])}return t}const U=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function G(t,e,n){if(!0!==this.options.ignoreAttributes&&"string"==typeof t){const n=s(t,U),i=n.length,r={};for(let t=0;t",r,"Closing Tag is not closed.");let o=t.substring(r+2,e).trim();if(this.options.removeNSPrefix){const t=o.indexOf(":");-1!==t&&(o=o.substr(t+1))}this.options.transformTagName&&(o=this.options.transformTagName(o)),n&&(i=this.saveTextToParentTag(i,n,s));const a=s.substring(s.lastIndexOf(".")+1);if(o&&-1!==this.options.unpairedTags.indexOf(o))throw new Error(`Unpaired tag can not be used as closing tag: `);let l=0;a&&-1!==this.options.unpairedTags.indexOf(a)?(l=s.lastIndexOf(".",s.lastIndexOf(".")-1),this.tagsNodeStack.pop()):l=s.lastIndexOf("."),s=s.substring(0,l),n=this.tagsNodeStack.pop(),i="",r=e}else if("?"===t[r+1]){let e=z(t,r,!1,"?>");if(!e)throw new Error("Pi Tag is not closed.");if(i=this.saveTextToParentTag(i,n,s),this.options.ignoreDeclaration&&"?xml"===e.tagName||this.options.ignorePiTags);else{const t=new T(e.tagName);t.add(this.options.textNodeName,""),e.tagName!==e.tagExp&&e.attrExpPresent&&(t[":@"]=this.buildAttributesMap(e.tagExp,s,e.tagName)),this.addChild(n,t,s,r)}r=e.closeIndex+1}else if("!--"===t.substr(r+1,3)){const e=W(t,"--\x3e",r+4,"Comment is not closed.");if(this.options.commentPropName){const o=t.substring(r+4,e-2);i=this.saveTextToParentTag(i,n,s),n.add(this.options.commentPropName,[{[this.options.textNodeName]:o}])}r=e}else if("!D"===t.substr(r+1,2)){const e=w(t,r);this.docTypeEntities=e.entities,r=e.i}else if("!["===t.substr(r+1,2)){const e=W(t,"]]>",r,"CDATA is not closed.")-2,o=t.substring(r+9,e);i=this.saveTextToParentTag(i,n,s);let a=this.parseTextData(o,n.tagname,s,!0,!1,!0,!0);null==a&&(a=""),this.options.cdataPropName?n.add(this.options.cdataPropName,[{[this.options.textNodeName]:o}]):n.add(this.options.textNodeName,a),r=e+2}else{let o=z(t,r,this.options.removeNSPrefix),a=o.tagName;const l=o.rawTagName;let u=o.tagExp,h=o.attrExpPresent,d=o.closeIndex;this.options.transformTagName&&(a=this.options.transformTagName(a)),n&&i&&"!xml"!==n.tagname&&(i=this.saveTextToParentTag(i,n,s,!1));const f=n;f&&-1!==this.options.unpairedTags.indexOf(f.tagname)&&(n=this.tagsNodeStack.pop(),s=s.substring(0,s.lastIndexOf("."))),a!==e.tagname&&(s+=s?"."+a:a);const c=r;if(this.isItStopNode(this.options.stopNodes,s,a)){let e="";if(u.length>0&&u.lastIndexOf("/")===u.length-1)"/"===a[a.length-1]?(a=a.substr(0,a.length-1),s=s.substr(0,s.length-1),u=a):u=u.substr(0,u.length-1),r=o.closeIndex;else if(-1!==this.options.unpairedTags.indexOf(a))r=o.closeIndex;else{const n=this.readStopNodeData(t,l,d+1);if(!n)throw new Error(`Unexpected end of ${l}`);r=n.i,e=n.tagContent}const i=new T(a);a!==u&&h&&(i[":@"]=this.buildAttributesMap(u,s,a)),e&&(e=this.parseTextData(e,a,s,!0,h,!0,!0)),s=s.substr(0,s.lastIndexOf(".")),i.add(this.options.textNodeName,e),this.addChild(n,i,s,c)}else{if(u.length>0&&u.lastIndexOf("/")===u.length-1){"/"===a[a.length-1]?(a=a.substr(0,a.length-1),s=s.substr(0,s.length-1),u=a):u=u.substr(0,u.length-1),this.options.transformTagName&&(a=this.options.transformTagName(a));const t=new T(a);a!==u&&h&&(t[":@"]=this.buildAttributesMap(u,s,a)),this.addChild(n,t,s,c),s=s.substr(0,s.lastIndexOf("."))}else{const t=new T(a);this.tagsNodeStack.push(n),a!==u&&h&&(t[":@"]=this.buildAttributesMap(u,s,a)),this.addChild(n,t,s,c),n=t}i="",r=d}}else i+=t[r];return e.child};function Y(t,e,n,i){this.options.captureMetaData||(i=void 0);const s=this.options.updateTag(e.tagname,n,e[":@"]);!1===s||("string"==typeof s?(e.tagname=s,t.addChild(e,i)):t.addChild(e,i))}const R=function(t){if(this.options.processEntities){for(let e in this.docTypeEntities){const n=this.docTypeEntities[e];t=t.replace(n.regx,n.val)}for(let e in this.lastEntities){const n=this.lastEntities[e];t=t.replace(n.regex,n.val)}if(this.options.htmlEntities)for(let e in this.htmlEntities){const n=this.htmlEntities[e];t=t.replace(n.regex,n.val)}t=t.replace(this.ampEntity.regex,this.ampEntity.val)}return t};function q(t,e,n,i){return t&&(void 0===i&&(i=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,n,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,i))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function Z(t,e,n){const i="*."+n;for(const n in t){const s=t[n];if(i===s||e===s)return!0}return!1}function W(t,e,n,i){const s=t.indexOf(e,n);if(-1===s)throw new Error(i);return s+e.length-1}function z(t,e,n,i=">"){const s=function(t,e,n=">"){let i,s="";for(let r=e;r",n,`${e} is not closed`);if(t.substring(n+2,r).trim()===e&&(s--,0===s))return{tagContent:t.substring(i,n),i:r};n=r}else if("?"===t[n+1])n=W(t,"?>",n+1,"StopNode is not closed.");else if("!--"===t.substr(n+1,3))n=W(t,"--\x3e",n+3,"StopNode is not closed.");else if("!["===t.substr(n+1,2))n=W(t,"]]>",n,"StopNode is not closed.")-2;else{const i=z(t,n,">");i&&((i&&i.tagName)===e&&"/"!==i.tagExp[i.tagExp.length-1]&&s++,n=i.closeIndex)}}function H(t,e,n){if(e&&"string"==typeof t){const e=t.trim();return"true"===e||"false"!==e&&function(t,e={}){if(e=Object.assign({},V,e),!t||"string"!=typeof t)return t;let n=t.trim();if(void 0!==e.skipLike&&e.skipLike.test(n))return t;if("0"===t)return 0;if(e.hex&&j.test(n))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(n);if(-1!==n.search(/.+[eE].+/))return function(t,e,n){if(!n.eNotation)return t;const i=e.match(M);if(i){let s=i[1]||"";const r=-1===i[3].indexOf("e")?"E":"e",o=i[2],a=s?t[o.length+1]===r:t[o.length]===r;return o.length>1&&a?t:1!==o.length||!i[3].startsWith(`.${r}`)&&i[3][0]!==r?n.leadingZeros&&!a?(e=(i[1]||"")+i[3],Number(e)):t:Number(e)}return t}(t,n,e);{const s=D.exec(n);if(s){const r=s[1]||"",o=s[2];let a=(i=s[3])&&-1!==i.indexOf(".")?("."===(i=i.replace(/0+$/,""))?i="0":"."===i[0]?i="0"+i:"."===i[i.length-1]&&(i=i.substring(0,i.length-1)),i):i;const l=r?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!l))return t;{const i=Number(n),s=String(i);if(0===i||-0===i)return i;if(-1!==s.search(/[eE]/))return e.eNotation?i:t;if(-1!==n.indexOf("."))return"0"===s||s===a||s===`${r}${a}`?i:t;let l=o?a:n;return o?l===s||r+l===s?i:t:l===s||l===r+s?i:t}}return t}var i}(t,n)}return void 0!==t?t:""}const K=T.getMetaDataSymbol();function Q(t,e){return tt(t,e)}function tt(t,e,n){let i;const s={};for(let r=0;r0&&(s[e.textNodeName]=i):void 0!==i&&(s[e.textNodeName]=i),s}function et(t){const e=Object.keys(t);for(let t=0;t0&&(n="\n"),ot(t,e,"",n)}function ot(t,e,n,i){let s="",r=!1;for(let o=0;o`,r=!1;continue}if(l===e.commentPropName){s+=i+`\x3c!--${a[l][0][e.textNodeName]}--\x3e`,r=!0;continue}if("?"===l[0]){const t=lt(a[":@"],e),n="?xml"===l?"":i;let o=a[l][0][e.textNodeName];o=0!==o.length?" "+o:"",s+=n+`<${l}${o}${t}?>`,r=!0;continue}let h=i;""!==h&&(h+=e.indentBy);const d=i+`<${l}${lt(a[":@"],e)}`,f=ot(a[l],e,u,h);-1!==e.unpairedTags.indexOf(l)?e.suppressUnpairedNode?s+=d+">":s+=d+"/>":f&&0!==f.length||!e.suppressEmptyNode?f&&f.endsWith(">")?s+=d+`>${f}${i}`:(s+=d+">",f&&""!==i&&(f.includes("/>")||f.includes("`):s+=d+"/>",r=!0}return s}function at(t){const e=Object.keys(t);for(let n=0;n0&&e.processEntities)for(let n=0;n","g"),val:">"},{regex:new RegExp("<","g"),val:"<"},{regex:new RegExp("'","g"),val:"'"},{regex:new RegExp('"',"g"),val:"""}],processEntities:!0,stopNodes:[],oneListGroup:!1};function ft(t){this.options=Object.assign({},dt,t),!0===this.options.ignoreAttributes||this.options.attributesGroupName?this.isAttribute=function(){return!1}:(this.ignoreAttributesFn=_(this.options.ignoreAttributes),this.attrPrefixLen=this.options.attributeNamePrefix.length,this.isAttribute=gt),this.processTextOrObjNode=ct,this.options.format?(this.indentate=pt,this.tagEndChar=">\n",this.newLine="\n"):(this.indentate=function(){return""},this.tagEndChar=">",this.newLine="")}function ct(t,e,n,i){const s=this.j2x(t,n+1,i.concat(e));return void 0!==t[this.options.textNodeName]&&1===Object.keys(t).length?this.buildTextValNode(t[this.options.textNodeName],e,s.attrStr,n):this.buildObjectNode(s.val,e,s.attrStr,n)}function pt(t){return this.options.indentBy.repeat(t)}function gt(t){return!(!t.startsWith(this.options.attributeNamePrefix)||t===this.options.textNodeName)&&t.substr(this.attrPrefixLen)}ft.prototype.build=function(t){return this.options.preserveOrder?rt(t,this.options):(Array.isArray(t)&&this.options.arrayNodeName&&this.options.arrayNodeName.length>1&&(t={[this.options.arrayNodeName]:t}),this.j2x(t,0,[]).val)},ft.prototype.j2x=function(t,e,n){let i="",s="";const r=n.join(".");for(let o in t)if(Object.prototype.hasOwnProperty.call(t,o))if(void 0===t[o])this.isAttribute(o)&&(s+="");else if(null===t[o])this.isAttribute(o)||o===this.options.cdataPropName?s+="":"?"===o[0]?s+=this.indentate(e)+"<"+o+"?"+this.tagEndChar:s+=this.indentate(e)+"<"+o+"/"+this.tagEndChar;else if(t[o]instanceof Date)s+=this.buildTextValNode(t[o],o,"",e);else if("object"!=typeof t[o]){const n=this.isAttribute(o);if(n&&!this.ignoreAttributesFn(n,r))i+=this.buildAttrPairStr(n,""+t[o]);else if(!n)if(o===this.options.textNodeName){let e=this.options.tagValueProcessor(o,""+t[o]);s+=this.replaceEntitiesValue(e)}else s+=this.buildTextValNode(t[o],o,"",e)}else if(Array.isArray(t[o])){const i=t[o].length;let r="",a="";for(let l=0;l"+t+s}},ft.prototype.closeTag=function(t){let e="";return-1!==this.options.unpairedTags.indexOf(t)?this.options.suppressUnpairedNode||(e="/"):e=this.options.suppressEmptyNode?"/":`>`+this.newLine;if(!1!==this.options.commentPropName&&e===this.options.commentPropName)return this.indentate(i)+`\x3c!--${t}--\x3e`+this.newLine;if("?"===e[0])return this.indentate(i)+"<"+e+n+"?"+this.tagEndChar;{let s=this.options.tagValueProcessor(e,t);return s=this.replaceEntitiesValue(s),""===s?this.indentate(i)+"<"+e+n+this.closeTag(e)+this.tagEndChar:this.indentate(i)+"<"+e+n+">"+s+"0&&this.options.processEntities)for(let e=0;e))|((NAME:)?(NAME))([^>]*)>|((\\/)(NAME)\\s*>))([^<]*)' +// .replace(/NAME/g, util.nameRegexp); + +//const tagsRegx = new RegExp("<(\\/?[\\w:\\-\._]+)([^>]*)>(\\s*"+cdataRegx+")*([^<]+)?","g"); +//const tagsRegx = new RegExp("<(\\/?)((\\w*:)?([\\w:\\-\._]+))([^>]*)>([^<]*)("+cdataRegx+"([^<]*))*([^<]+)?","g"); + +export default class OrderedObjParser{ + constructor(options){ + this.options = options; + this.currentNode = null; + this.tagsNodeStack = []; + this.docTypeEntities = {}; + this.lastEntities = { + "apos" : { regex: /&(apos|#39|#x27);/g, val : "'"}, + "gt" : { regex: /&(gt|#62|#x3E);/g, val : ">"}, + "lt" : { regex: /&(lt|#60|#x3C);/g, val : "<"}, + "quot" : { regex: /&(quot|#34|#x22);/g, val : "\""}, + }; + this.ampEntity = { regex: /&(amp|#38|#x26);/g, val : "&"}; + this.htmlEntities = { + "space": { regex: /&(nbsp|#160);/g, val: " " }, + // "lt" : { regex: /&(lt|#60);/g, val: "<" }, + // "gt" : { regex: /&(gt|#62);/g, val: ">" }, + // "amp" : { regex: /&(amp|#38);/g, val: "&" }, + // "quot" : { regex: /&(quot|#34);/g, val: "\"" }, + // "apos" : { regex: /&(apos|#39);/g, val: "'" }, + "cent" : { regex: /&(cent|#162);/g, val: "¢" }, + "pound" : { regex: /&(pound|#163);/g, val: "£" }, + "yen" : { regex: /&(yen|#165);/g, val: "¥" }, + "euro" : { regex: /&(euro|#8364);/g, val: "€" }, + "copyright" : { regex: /&(copy|#169);/g, val: "©" }, + "reg" : { regex: /&(reg|#174);/g, val: "®" }, + "inr" : { regex: /&(inr|#8377);/g, val: "₹" }, + "num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, + "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) }, + }; + this.addExternalEntities = addExternalEntities; + this.parseXml = parseXml; + this.parseTextData = parseTextData; + this.resolveNameSpace = resolveNameSpace; + this.buildAttributesMap = buildAttributesMap; + this.isItStopNode = isItStopNode; + this.replaceEntitiesValue = replaceEntitiesValue; + this.readStopNodeData = readStopNodeData; + this.saveTextToParentTag = saveTextToParentTag; + this.addChild = addChild; + this.ignoreAttributesFn = getIgnoreAttributesFn(this.options.ignoreAttributes) + } + +} + +function addExternalEntities(externalEntities){ + const entKeys = Object.keys(externalEntities); + for (let i = 0; i < entKeys.length; i++) { + const ent = entKeys[i]; + const escaped = ent.replace(/[.\-+*:]/g, '\.'); + this.lastEntities[ent] = { + regex: new RegExp("&"+escaped+";","g"), + val : externalEntities[ent] + } + } +} + +/** + * @param {string} val + * @param {string} tagName + * @param {string} jPath + * @param {boolean} dontTrim + * @param {boolean} hasAttributes + * @param {boolean} isLeafNode + * @param {boolean} escapeEntities + */ +function parseTextData(val, tagName, jPath, dontTrim, hasAttributes, isLeafNode, escapeEntities) { + if (val !== undefined) { + if (this.options.trimValues && !dontTrim) { + val = val.trim(); + } + if(val.length > 0){ + if(!escapeEntities) val = this.replaceEntitiesValue(val); + + const newval = this.options.tagValueProcessor(tagName, val, jPath, hasAttributes, isLeafNode); + if(newval === null || newval === undefined){ + //don't parse + return val; + }else if(typeof newval !== typeof val || newval !== val){ + //overwrite + return newval; + }else if(this.options.trimValues){ + return parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + }else{ + const trimmedVal = val.trim(); + if(trimmedVal === val){ + return parseValue(val, this.options.parseTagValue, this.options.numberParseOptions); + }else{ + return val; + } + } + } + } +} + +function resolveNameSpace(tagname) { + if (this.options.removeNSPrefix) { + const tags = tagname.split(':'); + const prefix = tagname.charAt(0) === '/' ? '/' : ''; + if (tags[0] === 'xmlns') { + return ''; + } + if (tags.length === 2) { + tagname = prefix + tags[1]; + } + } + return tagname; +} + +//TODO: change regex to capture NS +//const attrsRegx = new RegExp("([\\w\\-\\.\\:]+)\\s*=\\s*(['\"])((.|\n)*?)\\2","gm"); +const attrsRegx = new RegExp('([^\\s=]+)\\s*(=\\s*([\'"])([\\s\\S]*?)\\3)?', 'gm'); + +function buildAttributesMap(attrStr, jPath, tagName) { + if (this.options.ignoreAttributes !== true && typeof attrStr === 'string') { + // attrStr = attrStr.replace(/\r?\n/g, ' '); + //attrStr = attrStr || attrStr.trim(); + + const matches = getAllMatches(attrStr, attrsRegx); + const len = matches.length; //don't make it inline + const attrs = {}; + for (let i = 0; i < len; i++) { + const attrName = this.resolveNameSpace(matches[i][1]); + if (this.ignoreAttributesFn(attrName, jPath)) { + continue + } + let oldVal = matches[i][4]; + let aName = this.options.attributeNamePrefix + attrName; + if (attrName.length) { + if (this.options.transformAttributeName) { + aName = this.options.transformAttributeName(aName); + } + if(aName === "__proto__") aName = "#__proto__"; + if (oldVal !== undefined) { + if (this.options.trimValues) { + oldVal = oldVal.trim(); + } + oldVal = this.replaceEntitiesValue(oldVal); + const newVal = this.options.attributeValueProcessor(attrName, oldVal, jPath); + if(newVal === null || newVal === undefined){ + //don't parse + attrs[aName] = oldVal; + }else if(typeof newVal !== typeof oldVal || newVal !== oldVal){ + //overwrite + attrs[aName] = newVal; + }else{ + //parse + attrs[aName] = parseValue( + oldVal, + this.options.parseAttributeValue, + this.options.numberParseOptions + ); + } + } else if (this.options.allowBooleanAttributes) { + attrs[aName] = true; + } + } + } + if (!Object.keys(attrs).length) { + return; + } + if (this.options.attributesGroupName) { + const attrCollection = {}; + attrCollection[this.options.attributesGroupName] = attrs; + return attrCollection; + } + return attrs + } +} + +const parseXml = function(xmlData) { + xmlData = xmlData.replace(/\r\n?/g, "\n"); //TODO: remove this line + const xmlObj = new xmlNode('!xml'); + let currentNode = xmlObj; + let textData = ""; + let jPath = ""; + for(let i=0; i< xmlData.length; i++){//for each char in XML data + const ch = xmlData[i]; + if(ch === '<'){ + // const nextIndex = i+1; + // const _2ndChar = xmlData[nextIndex]; + if( xmlData[i+1] === '/') {//Closing Tag + const closeIndex = findClosingIndex(xmlData, ">", i, "Closing Tag is not closed.") + let tagName = xmlData.substring(i+2,closeIndex).trim(); + + if(this.options.removeNSPrefix){ + const colonIndex = tagName.indexOf(":"); + if(colonIndex !== -1){ + tagName = tagName.substr(colonIndex+1); + } + } + + if(this.options.transformTagName) { + tagName = this.options.transformTagName(tagName); + } + + if(currentNode){ + textData = this.saveTextToParentTag(textData, currentNode, jPath); + } + + //check if last tag of nested tag was unpaired tag + const lastTagName = jPath.substring(jPath.lastIndexOf(".")+1); + if(tagName && this.options.unpairedTags.indexOf(tagName) !== -1 ){ + throw new Error(`Unpaired tag can not be used as closing tag: `); + } + let propIndex = 0 + if(lastTagName && this.options.unpairedTags.indexOf(lastTagName) !== -1 ){ + propIndex = jPath.lastIndexOf('.', jPath.lastIndexOf('.')-1) + this.tagsNodeStack.pop(); + }else{ + propIndex = jPath.lastIndexOf("."); + } + jPath = jPath.substring(0, propIndex); + + currentNode = this.tagsNodeStack.pop();//avoid recursion, set the parent tag scope + textData = ""; + i = closeIndex; + } else if( xmlData[i+1] === '?') { + + let tagData = readTagExp(xmlData,i, false, "?>"); + if(!tagData) throw new Error("Pi Tag is not closed."); + + textData = this.saveTextToParentTag(textData, currentNode, jPath); + if( (this.options.ignoreDeclaration && tagData.tagName === "?xml") || this.options.ignorePiTags){ + + }else{ + + const childNode = new xmlNode(tagData.tagName); + childNode.add(this.options.textNodeName, ""); + + if(tagData.tagName !== tagData.tagExp && tagData.attrExpPresent){ + childNode[":@"] = this.buildAttributesMap(tagData.tagExp, jPath, tagData.tagName); + } + this.addChild(currentNode, childNode, jPath, i); + } + + + i = tagData.closeIndex + 1; + } else if(xmlData.substr(i + 1, 3) === '!--') { + const endIndex = findClosingIndex(xmlData, "-->", i+4, "Comment is not closed.") + if(this.options.commentPropName){ + const comment = xmlData.substring(i + 4, endIndex - 2); + + textData = this.saveTextToParentTag(textData, currentNode, jPath); + + currentNode.add(this.options.commentPropName, [ { [this.options.textNodeName] : comment } ]); + } + i = endIndex; + } else if( xmlData.substr(i + 1, 2) === '!D') { + const result = readDocType(xmlData, i); + this.docTypeEntities = result.entities; + i = result.i; + }else if(xmlData.substr(i + 1, 2) === '![') { + const closeIndex = findClosingIndex(xmlData, "]]>", i, "CDATA is not closed.") - 2; + const tagExp = xmlData.substring(i + 9,closeIndex); + + textData = this.saveTextToParentTag(textData, currentNode, jPath); + + let val = this.parseTextData(tagExp, currentNode.tagname, jPath, true, false, true, true); + if(val == undefined) val = ""; + + //cdata should be set even if it is 0 length string + if(this.options.cdataPropName){ + currentNode.add(this.options.cdataPropName, [ { [this.options.textNodeName] : tagExp } ]); + }else{ + currentNode.add(this.options.textNodeName, val); + } + + i = closeIndex + 2; + }else {//Opening tag + let result = readTagExp(xmlData,i, this.options.removeNSPrefix); + let tagName= result.tagName; + const rawTagName = result.rawTagName; + let tagExp = result.tagExp; + let attrExpPresent = result.attrExpPresent; + let closeIndex = result.closeIndex; + + if (this.options.transformTagName) { + tagName = this.options.transformTagName(tagName); + } + + //save text as child node + if (currentNode && textData) { + if(currentNode.tagname !== '!xml'){ + //when nested tag is found + textData = this.saveTextToParentTag(textData, currentNode, jPath, false); + } + } + + //check if last tag was unpaired tag + const lastTag = currentNode; + if(lastTag && this.options.unpairedTags.indexOf(lastTag.tagname) !== -1 ){ + currentNode = this.tagsNodeStack.pop(); + jPath = jPath.substring(0, jPath.lastIndexOf(".")); + } + if(tagName !== xmlObj.tagname){ + jPath += jPath ? "." + tagName : tagName; + } + const startIndex = i; + if (this.isItStopNode(this.options.stopNodes, jPath, tagName)) { + let tagContent = ""; + //self-closing tag + if(tagExp.length > 0 && tagExp.lastIndexOf("/") === tagExp.length - 1){ + if(tagName[tagName.length - 1] === "/"){ //remove trailing '/' + tagName = tagName.substr(0, tagName.length - 1); + jPath = jPath.substr(0, jPath.length - 1); + tagExp = tagName; + }else{ + tagExp = tagExp.substr(0, tagExp.length - 1); + } + i = result.closeIndex; + } + //unpaired tag + else if(this.options.unpairedTags.indexOf(tagName) !== -1){ + + i = result.closeIndex; + } + //normal tag + else{ + //read until closing tag is found + const result = this.readStopNodeData(xmlData, rawTagName, closeIndex + 1); + if(!result) throw new Error(`Unexpected end of ${rawTagName}`); + i = result.i; + tagContent = result.tagContent; + } + + const childNode = new xmlNode(tagName); + + if(tagName !== tagExp && attrExpPresent){ + childNode[":@"] = this.buildAttributesMap(tagExp, jPath, tagName); + } + if(tagContent) { + tagContent = this.parseTextData(tagContent, tagName, jPath, true, attrExpPresent, true, true); + } + + jPath = jPath.substr(0, jPath.lastIndexOf(".")); + childNode.add(this.options.textNodeName, tagContent); + + this.addChild(currentNode, childNode, jPath, startIndex); + }else{ + //selfClosing tag + if(tagExp.length > 0 && tagExp.lastIndexOf("/") === tagExp.length - 1){ + if(tagName[tagName.length - 1] === "/"){ //remove trailing '/' + tagName = tagName.substr(0, tagName.length - 1); + jPath = jPath.substr(0, jPath.length - 1); + tagExp = tagName; + }else{ + tagExp = tagExp.substr(0, tagExp.length - 1); + } + + if(this.options.transformTagName) { + tagName = this.options.transformTagName(tagName); + } + + const childNode = new xmlNode(tagName); + if(tagName !== tagExp && attrExpPresent){ + childNode[":@"] = this.buildAttributesMap(tagExp, jPath, tagName); + } + this.addChild(currentNode, childNode, jPath, startIndex); + jPath = jPath.substr(0, jPath.lastIndexOf(".")); + } + //opening tag + else{ + const childNode = new xmlNode( tagName); + this.tagsNodeStack.push(currentNode); + + if(tagName !== tagExp && attrExpPresent){ + childNode[":@"] = this.buildAttributesMap(tagExp, jPath, tagName); + } + this.addChild(currentNode, childNode, jPath, startIndex); + currentNode = childNode; + } + textData = ""; + i = closeIndex; + } + } + }else{ + textData += xmlData[i]; + } + } + return xmlObj.child; +} + +function addChild(currentNode, childNode, jPath, startIndex){ + // unset startIndex if not requested + if (!this.options.captureMetaData) startIndex = undefined; + const result = this.options.updateTag(childNode.tagname, jPath, childNode[":@"]) + if(result === false){ + } else if(typeof result === "string"){ + childNode.tagname = result + currentNode.addChild(childNode, startIndex); + }else{ + currentNode.addChild(childNode, startIndex); + } +} + +const replaceEntitiesValue = function(val){ + + if(this.options.processEntities){ + for(let entityName in this.docTypeEntities){ + const entity = this.docTypeEntities[entityName]; + val = val.replace( entity.regx, entity.val); + } + for(let entityName in this.lastEntities){ + const entity = this.lastEntities[entityName]; + val = val.replace( entity.regex, entity.val); + } + if(this.options.htmlEntities){ + for(let entityName in this.htmlEntities){ + const entity = this.htmlEntities[entityName]; + val = val.replace( entity.regex, entity.val); + } + } + val = val.replace( this.ampEntity.regex, this.ampEntity.val); + } + return val; +} +function saveTextToParentTag(textData, currentNode, jPath, isLeafNode) { + if (textData) { //store previously collected data as textNode + if(isLeafNode === undefined) isLeafNode = currentNode.child.length === 0 + + textData = this.parseTextData(textData, + currentNode.tagname, + jPath, + false, + currentNode[":@"] ? Object.keys(currentNode[":@"]).length !== 0 : false, + isLeafNode); + + if (textData !== undefined && textData !== "") + currentNode.add(this.options.textNodeName, textData); + textData = ""; + } + return textData; +} + +//TODO: use jPath to simplify the logic +/** + * + * @param {string[]} stopNodes + * @param {string} jPath + * @param {string} currentTagName + */ +function isItStopNode(stopNodes, jPath, currentTagName){ + const allNodesExp = "*." + currentTagName; + for (const stopNodePath in stopNodes) { + const stopNodeExp = stopNodes[stopNodePath]; + if( allNodesExp === stopNodeExp || jPath === stopNodeExp ) return true; + } + return false; +} + +/** + * Returns the tag Expression and where it is ending handling single-double quotes situation + * @param {string} xmlData + * @param {number} i starting index + * @returns + */ +function tagExpWithClosingIndex(xmlData, i, closingChar = ">"){ + let attrBoundary; + let tagExp = ""; + for (let index = i; index < xmlData.length; index++) { + let ch = xmlData[index]; + if (attrBoundary) { + if (ch === attrBoundary) attrBoundary = "";//reset + } else if (ch === '"' || ch === "'") { + attrBoundary = ch; + } else if (ch === closingChar[0]) { + if(closingChar[1]){ + if(xmlData[index + 1] === closingChar[1]){ + return { + data: tagExp, + index: index + } + } + }else{ + return { + data: tagExp, + index: index + } + } + } else if (ch === '\t') { + ch = " " + } + tagExp += ch; + } +} + +function findClosingIndex(xmlData, str, i, errMsg){ + const closingIndex = xmlData.indexOf(str, i); + if(closingIndex === -1){ + throw new Error(errMsg) + }else{ + return closingIndex + str.length - 1; + } +} + +function readTagExp(xmlData,i, removeNSPrefix, closingChar = ">"){ + const result = tagExpWithClosingIndex(xmlData, i+1, closingChar); + if(!result) return; + let tagExp = result.data; + const closeIndex = result.index; + const separatorIndex = tagExp.search(/\s/); + let tagName = tagExp; + let attrExpPresent = true; + if(separatorIndex !== -1){//separate tag name and attributes expression + tagName = tagExp.substring(0, separatorIndex); + tagExp = tagExp.substring(separatorIndex + 1).trimStart(); + } + + const rawTagName = tagName; + if(removeNSPrefix){ + const colonIndex = tagName.indexOf(":"); + if(colonIndex !== -1){ + tagName = tagName.substr(colonIndex+1); + attrExpPresent = tagName !== result.data.substr(colonIndex + 1); + } + } + + return { + tagName: tagName, + tagExp: tagExp, + closeIndex: closeIndex, + attrExpPresent: attrExpPresent, + rawTagName: rawTagName, + } +} +/** + * find paired tag for a stop node + * @param {string} xmlData + * @param {string} tagName + * @param {number} i + */ +function readStopNodeData(xmlData, tagName, i){ + const startIndex = i; + // Starting at 1 since we already have an open tag + let openTagCount = 1; + + for (; i < xmlData.length; i++) { + if( xmlData[i] === "<"){ + if (xmlData[i+1] === "/") {//close tag + const closeIndex = findClosingIndex(xmlData, ">", i, `${tagName} is not closed`); + let closeTagName = xmlData.substring(i+2,closeIndex).trim(); + if(closeTagName === tagName){ + openTagCount--; + if (openTagCount === 0) { + return { + tagContent: xmlData.substring(startIndex, i), + i : closeIndex + } + } + } + i=closeIndex; + } else if(xmlData[i+1] === '?') { + const closeIndex = findClosingIndex(xmlData, "?>", i+1, "StopNode is not closed.") + i=closeIndex; + } else if(xmlData.substr(i + 1, 3) === '!--') { + const closeIndex = findClosingIndex(xmlData, "-->", i+3, "StopNode is not closed.") + i=closeIndex; + } else if(xmlData.substr(i + 1, 2) === '![') { + const closeIndex = findClosingIndex(xmlData, "]]>", i, "StopNode is not closed.") - 2; + i=closeIndex; + } else { + const tagData = readTagExp(xmlData, i, '>') + + if (tagData) { + const openTagName = tagData && tagData.tagName; + if (openTagName === tagName && tagData.tagExp[tagData.tagExp.length-1] !== "/") { + openTagCount++; + } + i=tagData.closeIndex; + } + } + } + }//end for loop +} + +function parseValue(val, shouldParse, options) { + if (shouldParse && typeof val === 'string') { + //console.log(options) + const newval = val.trim(); + if(newval === 'true' ) return true; + else if(newval === 'false' ) return false; + else return toNumber(val, options); + } else { + if (isExist(val)) { + return val; + } else { + return ''; + } + } +} diff --git a/.socket/blob/ed030fd3c8078b1e4e97e3706c793ca56b9e84798d269360d419364d9fd27ff1 b/.socket/blob/ed030fd3c8078b1e4e97e3706c793ca56b9e84798d269360d419364d9fd27ff1 new file mode 100644 index 0000000..ac679c4 --- /dev/null +++ b/.socket/blob/ed030fd3c8078b1e4e97e3706c793ca56b9e84798d269360d419364d9fd27ff1 @@ -0,0 +1,8 @@ +// Socket Community Patch: https://socket.dev +// Date: Mon, 16 Mar 2026 22:23:23 GMT +// For more information see https://socket.dev/patch/66ab43a3-7f62-4fcb-bd27-330b23591c44 +// This file includes modifications made by Socket, Inc. on Mon, 16 Mar 2026; these modifications are called the "Patch". In some cases, Socket may be required to make the Patch available to you under specific terms, or may be prohibited from restricting certain rights you may have. For example, the terms of another applicable license may require Socket to make the Patch available under specific terms. In those cases, the Patch is made available to you under the required terms, and Socket does not seek to restrict your rights relative to the Patch where prohibited. In all other cases, the Patch is available to you exclusively under the PolyForm Shield License 1.0.0 (https://polyformproject.org/licenses/shield/1.0.0/). The Patch was distributed by Socket with additional information concerning licensing, attribution, and limitation of liability which may be relevant to you and your use of the Patch. As far as the law allows, the Patch and the software including the patch come as is, without any warranty or condition, and Socket will not be liable to you for any damages arising out of the applicable license terms or the use or nature of the Patch or the software including the patch, under any kind of legal claim. +// Original License: MIT + +!function(t,e){"object"==typeof exports&&"object"==typeof module?module.exports=e():"function"==typeof define&&define.amd?define([],e):"object"==typeof exports?exports.XMLParser=e():t.XMLParser=e()}(this,(()=>(()=>{"use strict";var t={d:(e,r)=>{for(var n in r)t.o(r,n)&&!t.o(e,n)&&Object.defineProperty(e,n,{enumerable:!0,get:r[n]})},o:(t,e)=>Object.prototype.hasOwnProperty.call(t,e),r:t=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(t,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(t,"__esModule",{value:!0})}},e={};t.r(e),t.d(e,{default:()=>et});var r={preserveOrder:!1,attributeNamePrefix:"@_",attributesGroupName:!1,textNodeName:"#text",ignoreAttributes:!0,removeNSPrefix:!1,allowBooleanAttributes:!1,parseTagValue:!0,parseAttributeValue:!1,trimValues:!0,cdataPropName:!1,numberParseOptions:{hex:!0,leadingZeros:!0,eNotation:!0},tagValueProcessor:function(t,e){return e},attributeValueProcessor:function(t,e){return e},stopNodes:[],alwaysCreateTextNode:!1,isArray:function(){return!1},commentPropName:!1,unpairedTags:[],processEntities:!0,htmlEntities:!1,ignoreDeclaration:!1,ignorePiTags:!1,transformTagName:!1,transformAttributeName:!1,updateTag:function(t,e,r){return t},captureMetaData:!1},n=":A-Za-z_\\u00C0-\\u00D6\\u00D8-\\u00F6\\u00F8-\\u02FF\\u0370-\\u037D\\u037F-\\u1FFF\\u200C-\\u200D\\u2070-\\u218F\\u2C00-\\u2FEF\\u3001-\\uD7FF\\uF900-\\uFDCF\\uFDF0-\\uFFFD",i=new RegExp("^["+n+"]["+n+"\\-.\\d\\u00B7\\u0300-\\u036F\\u203F-\\u2040]*$");function a(t,e){for(var r=[],n=e.exec(t);n;){var i=[];i.startIndex=e.lastIndex-n[0].length;for(var a=n.length,o=0;o0?this.child.push(((r={})[t.tagname]=t.child,r[":@"]=t[":@"],r)):this.child.push(((n={})[t.tagname]=t.child,n)),void 0!==e&&(this.child[this.child.length-1][o]={startIndex:e})},t.getMetaDataSymbol=function(){return o},t}();function u(t,e){var r={};if("O"!==t[e+3]||"C"!==t[e+4]||"T"!==t[e+5]||"Y"!==t[e+6]||"P"!==t[e+7]||"E"!==t[e+8])throw new Error("Invalid Tag instead of DOCTYPE");e+=9;for(var n=1,i=!1,a=!1;e"===t[e]){if(a?"-"===t[e-1]&&"-"===t[e-2]&&(a=!1,n--):n--,0===n)break}else"["===t[e]?i=!0:t[e];else{if(i&&c(t,"!ENTITY",e)){var o,s=void 0,l=d(t,(e+=7)+1);o=l[0],s=l[1],e=l[2],-1===s.indexOf("&")&&(r[o]={regx:RegExp("&"+o.replace(/[.\-+*:]/g,"\\.")+";","g"),val:s})}else if(i&&c(t,"!ELEMENT",e))e=p(t,(e+=8)+1).index;else if(i&&c(t,"!ATTLIST",e))e+=8;else if(i&&c(t,"!NOTATION",e))e=g(t,(e+=9)+1).index;else{if(!c(t,"!--",e))throw new Error("Invalid DOCTYPE");a=!0}n++}if(0!==n)throw new Error("Unclosed DOCTYPE");return{entities:r,i:e}}var f=function(t,e){for(;et.length)&&(e=t.length);for(var r=0,n=Array(e);r"},lt:{regex:/&(lt|#60|#x3C);/g,val:"<"},quot:{regex:/&(quot|#34|#x22);/g,val:'"'}},this.ampEntity={regex:/&(amp|#38|#x26);/g,val:"&"},this.htmlEntities={space:{regex:/&(nbsp|#160);/g,val:" "},cent:{regex:/&(cent|#162);/g,val:"¢"},pound:{regex:/&(pound|#163);/g,val:"£"},yen:{regex:/&(yen|#165);/g,val:"¥"},euro:{regex:/&(euro|#8364);/g,val:"€"},copyright:{regex:/&(copy|#169);/g,val:"©"},reg:{regex:/&(reg|#174);/g,val:"®"},inr:{regex:/&(inr|#8377);/g,val:"₹"},num_dec:{regex:/&#([0-9]{1,7});/g,val:function(t,e){return String.fromCodePoint(Number.parseInt(e,10))}},num_hex:{regex:/&#x([0-9a-fA-F]{1,6});/g,val:function(t,e){return String.fromCodePoint(Number.parseInt(e,16))}}},this.addExternalEntities=T,this.parseXml=O,this.parseTextData=w,this.resolveNameSpace=I,this.buildAttributesMap=A,this.isItStopNode=M,this.replaceEntitiesValue=C,this.readStopNodeData=k,this.saveTextToParentTag=D,this.addChild=P,this.ignoreAttributesFn="function"==typeof(e=this.options.ignoreAttributes)?e:Array.isArray(e)?function(t){for(var r,n=function(t,e){var r="undefined"!=typeof Symbol&&t[Symbol.iterator]||t["@@iterator"];if(r)return(r=r.call(t)).next.bind(r);if(Array.isArray(t)||(r=function(t,e){if(t){if("string"==typeof t)return E(t,e);var r={}.toString.call(t).slice(8,-1);return"Object"===r&&t.constructor&&(r=t.constructor.name),"Map"===r||"Set"===r?Array.from(t):"Arguments"===r||/^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(r)?E(t,e):void 0}}(t))||e&&t&&"number"==typeof t.length){r&&(t=r);var n=0;return function(){return n>=t.length?{done:!0}:{done:!1,value:t[n++]}}}throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.")}(e);!(r=n()).done;){var i=r.value;if("string"==typeof i&&t===i)return!0;if(i instanceof RegExp&&i.test(t))return!0}}:function(){return!1}};function T(t){for(var e=Object.keys(t),r=0;r0)){o||(t=this.replaceEntitiesValue(t));var s=this.options.tagValueProcessor(e,t,r,i,a);return null==s?t:typeof s!=typeof t||s!==t?s:this.options.trimValues||t.trim()===t?j(t,this.options.parseTagValue,this.options.numberParseOptions):t}}function I(t){if(this.options.removeNSPrefix){var e=t.split(":"),r="/"===t.charAt(0)?"/":"";if("xmlns"===e[0])return"";2===e.length&&(t=r+e[1])}return t}var S=new RegExp("([^\\s=]+)\\s*(=\\s*(['\"])([\\s\\S]*?)\\3)?","gm");function A(t,e,r){if(!0!==this.options.ignoreAttributes&&"string"==typeof t){for(var n=a(t,S),i=n.length,o={},s=0;s",a,"Closing Tag is not closed."),s=t.substring(a+2,o).trim();if(this.options.removeNSPrefix){var f=s.indexOf(":");-1!==f&&(s=s.substr(f+1))}this.options.transformTagName&&(s=this.options.transformTagName(s)),r&&(n=this.saveTextToParentTag(n,r,i));var d=i.substring(i.lastIndexOf(".")+1);if(s&&-1!==this.options.unpairedTags.indexOf(s))throw new Error("Unpaired tag can not be used as closing tag: ");var g=0;d&&-1!==this.options.unpairedTags.indexOf(d)?(g=i.lastIndexOf(".",i.lastIndexOf(".")-1),this.tagsNodeStack.pop()):g=i.lastIndexOf("."),i=i.substring(0,g),r=this.tagsNodeStack.pop(),n="",a=o}else if("?"===t[a+1]){var h=F(t,a,!1,"?>");if(!h)throw new Error("Pi Tag is not closed.");if(n=this.saveTextToParentTag(n,r,i),this.options.ignoreDeclaration&&"?xml"===h.tagName||this.options.ignorePiTags);else{var p=new l(h.tagName);p.add(this.options.textNodeName,""),h.tagName!==h.tagExp&&h.attrExpPresent&&(p[":@"]=this.buildAttributesMap(h.tagExp,i,h.tagName)),this.addChild(r,p,i,a)}a=h.closeIndex+1}else if("!--"===t.substr(a+1,3)){var c=_(t,"--\x3e",a+4,"Comment is not closed.");if(this.options.commentPropName){var v,m=t.substring(a+4,c-2);n=this.saveTextToParentTag(n,r,i),r.add(this.options.commentPropName,[(v={},v[this.options.textNodeName]=m,v)])}a=c}else if("!D"===t.substr(a+1,2)){var x=u(t,a);this.docTypeEntities=x.entities,a=x.i}else if("!["===t.substr(a+1,2)){var b=_(t,"]]>",a,"CDATA is not closed.")-2,N=t.substring(a+9,b);n=this.saveTextToParentTag(n,r,i);var E,y=this.parseTextData(N,r.tagname,i,!0,!1,!0,!0);null==y&&(y=""),this.options.cdataPropName?r.add(this.options.cdataPropName,[(E={},E[this.options.textNodeName]=N,E)]):r.add(this.options.textNodeName,y),a=b+2}else{var T=F(t,a,this.options.removeNSPrefix),w=T.tagName,I=T.rawTagName,S=T.tagExp,A=T.attrExpPresent,O=T.closeIndex;this.options.transformTagName&&(w=this.options.transformTagName(w)),r&&n&&"!xml"!==r.tagname&&(n=this.saveTextToParentTag(n,r,i,!1));var P=r;P&&-1!==this.options.unpairedTags.indexOf(P.tagname)&&(r=this.tagsNodeStack.pop(),i=i.substring(0,i.lastIndexOf("."))),w!==e.tagname&&(i+=i?"."+w:w);var C=a;if(this.isItStopNode(this.options.stopNodes,i,w)){var D="";if(S.length>0&&S.lastIndexOf("/")===S.length-1)"/"===w[w.length-1]?(w=w.substr(0,w.length-1),i=i.substr(0,i.length-1),S=w):S=S.substr(0,S.length-1),a=T.closeIndex;else if(-1!==this.options.unpairedTags.indexOf(w))a=T.closeIndex;else{var M=this.readStopNodeData(t,I,O+1);if(!M)throw new Error("Unexpected end of "+I);a=M.i,D=M.tagContent}var k=new l(w);w!==S&&A&&(k[":@"]=this.buildAttributesMap(S,i,w)),D&&(D=this.parseTextData(D,w,i,!0,A,!0,!0)),i=i.substr(0,i.lastIndexOf(".")),k.add(this.options.textNodeName,D),this.addChild(r,k,i,C)}else{if(S.length>0&&S.lastIndexOf("/")===S.length-1){"/"===w[w.length-1]?(w=w.substr(0,w.length-1),i=i.substr(0,i.length-1),S=w):S=S.substr(0,S.length-1),this.options.transformTagName&&(w=this.options.transformTagName(w));var j=new l(w);w!==S&&A&&(j[":@"]=this.buildAttributesMap(S,i,w)),this.addChild(r,j,i,C),i=i.substr(0,i.lastIndexOf("."))}else{var V=new l(w);this.tagsNodeStack.push(r),w!==S&&A&&(V[":@"]=this.buildAttributesMap(S,i,w)),this.addChild(r,V,i,C),r=V}n="",a=O}}else n+=t[a];return e.child};function P(t,e,r,n){this.options.captureMetaData||(n=void 0);var i=this.options.updateTag(e.tagname,r,e[":@"]);!1===i||("string"==typeof i?(e.tagname=i,t.addChild(e,n)):t.addChild(e,n))}var C=function(t){if(this.options.processEntities){for(var e in this.docTypeEntities){var r=this.docTypeEntities[e];t=t.replace(r.regx,r.val)}for(var n in this.lastEntities){var i=this.lastEntities[n];t=t.replace(i.regex,i.val)}if(this.options.htmlEntities)for(var a in this.htmlEntities){var o=this.htmlEntities[a];t=t.replace(o.regex,o.val)}t=t.replace(this.ampEntity.regex,this.ampEntity.val)}return t};function D(t,e,r,n){return t&&(void 0===n&&(n=0===e.child.length),void 0!==(t=this.parseTextData(t,e.tagname,r,!1,!!e[":@"]&&0!==Object.keys(e[":@"]).length,n))&&""!==t&&e.add(this.options.textNodeName,t),t=""),t}function M(t,e,r){var n="*."+r;for(var i in t){var a=t[i];if(n===a||e===a)return!0}return!1}function _(t,e,r,n){var i=t.indexOf(e,r);if(-1===i)throw new Error(n);return i+e.length-1}function F(t,e,r,n){void 0===n&&(n=">");var i=function(t,e,r){var n;void 0===r&&(r=">");for(var i="",a=e;a",r,e+" is not closed");if(t.substring(r+2,a).trim()===e&&0==--i)return{tagContent:t.substring(n,r),i:a};r=a}else if("?"===t[r+1])r=_(t,"?>",r+1,"StopNode is not closed.");else if("!--"===t.substr(r+1,3))r=_(t,"--\x3e",r+3,"StopNode is not closed.");else if("!["===t.substr(r+1,2))r=_(t,"]]>",r,"StopNode is not closed.")-2;else{var o=F(t,r,">");o&&((o&&o.tagName)===e&&"/"!==o.tagExp[o.tagExp.length-1]&&i++,r=o.closeIndex)}}function j(t,e,r){if(e&&"string"==typeof t){var n=t.trim();return"true"===n||"false"!==n&&function(t,e={}){if(e=Object.assign({},b,e),!t||"string"!=typeof t)return t;let r=t.trim();if(void 0!==e.skipLike&&e.skipLike.test(r))return t;if("0"===t)return 0;if(e.hex&&m.test(r))return function(t){if(parseInt)return parseInt(t,16);if(Number.parseInt)return Number.parseInt(t,16);if(window&&window.parseInt)return window.parseInt(t,16);throw new Error("parseInt, Number.parseInt, window.parseInt are not supported")}(r);if(-1!==r.search(/.+[eE].+/))return function(t,e,r){if(!r.eNotation)return t;const n=e.match(N);if(n){let i=n[1]||"";const a=-1===n[3].indexOf("e")?"E":"e",o=n[2],s=i?t[o.length+1]===a:t[o.length]===a;return o.length>1&&s?t:1!==o.length||!n[3].startsWith(`.${a}`)&&n[3][0]!==a?r.leadingZeros&&!s?(e=(n[1]||"")+n[3],Number(e)):t:Number(e)}return t}(t,r,e);{const i=x.exec(r);if(i){const a=i[1]||"",o=i[2];let s=(n=i[3])&&-1!==n.indexOf(".")?("."===(n=n.replace(/0+$/,""))?n="0":"."===n[0]?n="0"+n:"."===n[n.length-1]&&(n=n.substring(0,n.length-1)),n):n;const l=a?"."===t[o.length+1]:"."===t[o.length];if(!e.leadingZeros&&(o.length>1||1===o.length&&!l))return t;{const n=Number(r),i=String(n);if(0===n||-0===n)return n;if(-1!==i.search(/[eE]/))return e.eNotation?n:t;if(-1!==r.indexOf("."))return"0"===i||i===s||i===`${a}${s}`?n:t;let l=o?s:r;return o?l===i||a+l===i?n:t:l===i||l===a+i?n:t}}return t}var n}(t,r)}return void 0!==t?t:""}var V=l.getMetaDataSymbol();function Y(t,e){return L(t,e)}function L(t,e,r){for(var n,i={},a=0;a0&&(i[e.textNodeName]=n):void 0!==n&&(i[e.textNodeName]=n),i}function U(t){for(var e=Object.keys(t),r=0;r5&&"xml"===n)return H("InvalidXml","XML declaration allowed only at the start of the document.",Q(t,e));if("?"==t[e]&&">"==t[e+1]){e++;break}}return e}function q(t,e){if(t.length>e+5&&"-"===t[e+1]&&"-"===t[e+2]){for(e+=3;e"===t[e+2]){e+=2;break}}else if(t.length>e+8&&"D"===t[e+1]&&"O"===t[e+2]&&"C"===t[e+3]&&"T"===t[e+4]&&"Y"===t[e+5]&&"P"===t[e+6]&&"E"===t[e+7]){var r=1;for(e+=8;e"===t[e]&&0==--r)break}else if(t.length>e+9&&"["===t[e+1]&&"C"===t[e+2]&&"D"===t[e+3]&&"A"===t[e+4]&&"T"===t[e+5]&&"A"===t[e+6]&&"["===t[e+7])for(e+=8;e"===t[e+2]){e+=2;break}return e}function G(t,e){for(var r="",n="",i=!1;e"===t[e]&&""===n){i=!0;break}r+=t[e]}return""===n&&{value:r,index:e,tagClosed:i}}var z=new RegExp("(\\s*)([^\\s=]+)(\\s*=)?(\\s*(['\"])(([\\s\\S])*?)\\5)?","g");function J(t,e){for(var r=a(t,z),n={},i=0;i"!==t[a]&&" "!==t[a]&&"\t"!==t[a]&&"\n"!==t[a]&&"\r"!==t[a];a++)u+=t[a];if("/"===(u=u.trim())[u.length-1]&&(u=u.substring(0,u.length-1),a--),!s(u))return H("InvalidTag",0===u.trim().length?"Invalid space after '<'.":"Tag '"+u+"' is an invalid name.",Q(t,a));var f=G(t,a);if(!1===f)return H("InvalidAttr","Attributes for '"+u+"' have open quote.",Q(t,a));var d=f.value;if(a=f.index,"/"===d[d.length-1]){var g=a-d.length,h=J(d=d.substring(0,d.length-1),e);if(!0!==h)return H(h.err.code,h.err.msg,Q(t,g+h.err.line));n=!0}else if(l){if(!f.tagClosed)return H("InvalidTag","Closing tag '"+u+"' doesn't have proper closing.",Q(t,a));if(d.trim().length>0)return H("InvalidTag","Closing tag '"+u+"' can't have attributes or invalid starting.",Q(t,o));if(0===r.length)return H("InvalidTag","Closing tag '"+u+"' has not been opened.",Q(t,o));var p=r.pop();if(u!==p.tagName){var c=Q(t,p.tagStartPos);return H("InvalidTag","Expected closing tag '"+p.tagName+"' (opened in line "+c.line+", col "+c.col+") instead of closing tag '"+u+"'.",Q(t,o))}0==r.length&&(i=!0)}else{var v=J(d,e);if(!0!==v)return H(v.err.code,v.err.msg,Q(t,a-d.length+v.err.line));if(!0===i)return H("InvalidXml","Multiple possible root nodes found.",Q(t,a));-1!==e.unpairedTags.indexOf(u)||r.push({tagName:u,tagStartPos:o}),n=!0}for(a++;a0)||H("InvalidXml","Invalid '"+JSON.stringify(r.map((function(t){return t.tagName})),null,4).replace(/\r?\n/g,"")+"' found.",{line:1,col:1}):H("InvalidXml","Start tag expected.",1)}(t,e);if(!0!==r)throw Error(r.err.msg+":"+r.err.line+":"+r.err.col)}var n=new y(this.options);n.addExternalEntities(this.externalEntities);var i=n.parseXml(t);return this.options.preserveOrder||void 0===i?i:Y(i,this.options)},e.addEntity=function(t,e){if(-1!==e.indexOf("&"))throw new Error("Entity value can't have '&'");if(-1!==t.indexOf("&")||-1!==t.indexOf(";"))throw new Error("An entity must be set without '&' and ';'. Eg. use '#xD' for ' '");if("&"===e)throw new Error("An entity with value '&' is not permitted");this.externalEntities[t]=e},t.getMetaDataSymbol=function(){return l.getMetaDataSymbol()},t}();return e})())); +//# sourceMappingURL=fxparser.min.js.map \ No newline at end of file diff --git a/.socket/blob/f02688fb81c13f26529d1c75f382f825420c7c44f963d5ffb46248352acc5604 b/.socket/blob/f02688fb81c13f26529d1c75f382f825420c7c44f963d5ffb46248352acc5604 new file mode 100644 index 0000000..4de6fc3 --- /dev/null +++ b/.socket/blob/f02688fb81c13f26529d1c75f382f825420c7c44f963d5ffb46248352acc5604 @@ -0,0 +1,377 @@ +// Socket Community Patch: https://socket.dev +// Date: Mon, 16 Mar 2026 22:23:23 GMT +// For more information see https://socket.dev/patch/66ab43a3-7f62-4fcb-bd27-330b23591c44 +// This file includes modifications made by Socket, Inc. on Mon, 16 Mar 2026; these modifications are called the "Patch". In some cases, Socket may be required to make the Patch available to you under specific terms, or may be prohibited from restricting certain rights you may have. For example, the terms of another applicable license may require Socket to make the Patch available under specific terms. In those cases, the Patch is made available to you under the required terms, and Socket does not seek to restrict your rights relative to the Patch where prohibited. In all other cases, the Patch is available to you exclusively under the PolyForm Shield License 1.0.0 (https://polyformproject.org/licenses/shield/1.0.0/). The Patch was distributed by Socket with additional information concerning licensing, attribution, and limitation of liability which may be relevant to you and your use of the Patch. As far as the law allows, the Patch and the software including the patch come as is, without any warranty or condition, and Socket will not be liable to you for any damages arising out of the applicable license terms or the use or nature of the Patch or the software including the patch, under any kind of legal claim. +// Original License: MIT + +import {isName} from '../util.js'; + +//TODO: handle comments +export default function readDocType(xmlData, i){ + + const entities = {}; + if( xmlData[i + 3] === 'O' && + xmlData[i + 4] === 'C' && + xmlData[i + 5] === 'T' && + xmlData[i + 6] === 'Y' && + xmlData[i + 7] === 'P' && + xmlData[i + 8] === 'E') + { + i = i+9; + let angleBracketsCount = 1; + let hasBody = false, comment = false; + let exp = ""; + for(;i') { //Read tag content + if(comment){ + if( xmlData[i - 1] === "-" && xmlData[i - 2] === "-"){ + comment = false; + angleBracketsCount--; + } + }else{ + angleBracketsCount--; + } + if (angleBracketsCount === 0) { + break; + } + }else if( xmlData[i] === '['){ + hasBody = true; + }else{ + exp += xmlData[i]; + } + } + if(angleBracketsCount !== 0){ + throw new Error(`Unclosed DOCTYPE`); + } + }else{ + throw new Error(`Invalid Tag instead of DOCTYPE`); + } + return {entities, i}; +} + +const skipWhitespace = (data, index) => { + while (index < data.length && /\s/.test(data[index])) { + index++; + } + return index; +}; + +function readEntityExp(xmlData, i) { + //External entities are not supported + // + + //Parameter entities are not supported + // + + //Internal entities are supported + // + + // Skip leading whitespace after + // + // + // + // + + // Skip leading whitespace after " }, + // "amp" : { regex: /&(amp|#38);/g, val: "&" }, + // "quot" : { regex: /&(quot|#34);/g, val: "\"" }, + // "apos" : { regex: /&(apos|#39);/g, val: "'" }, + "cent" : { regex: /&(cent|#162);/g, val: "¢" }, + "pound" : { regex: /&(pound|#163);/g, val: "£" }, + "yen" : { regex: /&(yen|#165);/g, val: "¥" }, + "euro" : { regex: /&(euro|#8364);/g, val: "€" }, + "copyright" : { regex: /&(copy|#169);/g, val: "©" }, + "reg" : { regex: /&(reg|#174);/g, val: "®" }, + "inr" : { regex: /&(inr|#8377);/g, val: "₹" }, + "num_dec": { regex: /&#([0-9]{1,7});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 10)) }, + "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val : (_, str) => String.fromCodePoint(Number.parseInt(str, 16)) }, +}; +export default class EntitiesParser{ + constructor(replaceHtmlEntities) { + this.replaceHtmlEntities = replaceHtmlEntities; + this.docTypeEntities = {}; + this.lastEntities = { + "apos" : { regex: /&(apos|#39|#x27);/g, val : "'"}, + "gt" : { regex: /&(gt|#62|#x3E);/g, val : ">"}, + "lt" : { regex: /&(lt|#60|#x3C);/g, val : "<"}, + "quot" : { regex: /&(quot|#34|#x22);/g, val : "\""}, + }; + } + + addExternalEntities(externalEntities){ + const entKeys = Object.keys(externalEntities); + for (let i = 0; i < entKeys.length; i++) { + const ent = entKeys[i]; + this.addExternalEntity(ent,externalEntities[ent]) + } + } + addExternalEntity(key,val){ + validateEntityName(key); + const escaped = key.replace(/[.\-+*:]/g, '\\.'); + if(val.indexOf("&") !== -1) { + reportWarning(`Entity ${key} is not added as '&' is found in value;`) + return; + }else{ + this.lastEntities[key] = { + regex: new RegExp("&"+escaped+";","g"), + val : val + } + } + } + + addDocTypeEntities(entities){ + const entKeys = Object.keys(entities); + for (let i = 0; i < entKeys.length; i++) { + const ent = entKeys[i]; + const escaped = ent.replace(/[.\-+*:]/g, '\\.'); + this.docTypeEntities[ent] = { + regex: new RegExp("&"+escaped+";","g"), + val : entities[ent] + } + } + } + + parse(val){ + return this.replaceEntitiesValue(val) + } + + /** + * 1. Replace DOCTYPE entities + * 2. Replace external entities + * 3. Replace HTML entities if asked + * @param {string} val + */ + replaceEntitiesValue(val){ + if(typeof val === "string" && val.length > 0){ + for(let entityName in this.docTypeEntities){ + const entity = this.docTypeEntities[entityName]; + val = val.replace( entity.regx, entity.val); + } + for(let entityName in this.lastEntities){ + const entity = this.lastEntities[entityName]; + val = val.replace( entity.regex, entity.val); + } + if(this.replaceHtmlEntities){ + for(let entityName in htmlEntities){ + const entity = htmlEntities[entityName]; + val = val.replace( entity.regex, entity.val); + } + } + val = val.replace( ampEntity.regex, ampEntity.val); + } + return val; + } +} + +//an entity name should not contains special characters that may be used in regex +//Eg !?\\\/[]$%{}^&*()<> +const specialChar = "!?\\/[]$%{}^&*()<>|+"; + +function validateEntityName(name){ + for (let i = 0; i < specialChar.length; i++) { + const ch = specialChar[i]; + if(name.indexOf(ch) !== -1) throw new Error(`Invalid character ${ch} in entity name`); + } + return name; +} diff --git a/.socket/manifest.json b/.socket/manifest.json new file mode 100644 index 0000000..31640cf --- /dev/null +++ b/.socket/manifest.json @@ -0,0 +1,47 @@ +{ + "patches": { + "pkg:npm/fast-xml-parser@5.2.5": { + "uuid": "66ab43a3-7f62-4fcb-bd27-330b23591c44", + "exportedAt": "Mon, 16 Mar 2026 22:23:27 GMT", + "files": { + "package/lib/fxp.cjs": { + "beforeHash": "75fa525146d7813c879f23945fd94bb1597355fa88773fb225d8a0a580b222f1", + "afterHash": "d77e16cb8ece7ad71855831dbd483336b0d847d06f1967bb0785bc2338e6a453" + }, + "package/lib/fxp.min.js": { + "beforeHash": "c90c4d9dc58520b6f0401390407b76d90babcc3b93b04187eb4d1b2c1399ac04", + "afterHash": "25323f5a8329402ddd5b12690919aedfb91f5fd98e18931ea1a6d73ca4ec8d4c" + }, + "package/lib/fxparser.min.js": { + "beforeHash": "85df38a51a95ca3ee7ad310199c9876865648a428ab19da957c376ac0f35b019", + "afterHash": "ed030fd3c8078b1e4e97e3706c793ca56b9e84798d269360d419364d9fd27ff1" + }, + "package/src/v6/EntitiesParser.js": { + "beforeHash": "3ebb2d7bc3405623692cee6e774dd2c5ba59b5e03e62d5a8c1c76856d1270ae8", + "afterHash": "f90a0550df6525f7f6c41a2c2f1a69c1dbda0a4582581ed6132008b6f1ea31ab" + }, + "package/src/xmlparser/DocTypeReader.js": { + "beforeHash": "9e73b787367abe0bffdd140e5c2a8db80b533fb80ce062d0a97be26c1f6cbf99", + "afterHash": "f02688fb81c13f26529d1c75f382f825420c7c44f963d5ffb46248352acc5604" + }, + "package/src/xmlparser/OrderedObjParser.js": { + "beforeHash": "5f3a5fbd7f0a1b672f3ce69695c25c81731141392a787eccebe0e7651c72f30b", + "afterHash": "e218ca2bbc47e52f8aa24865faccf27b982b20e6a68bc312ca2755520e474150" + } + }, + "vulnerabilities": { + "GHSA-m7jm-9gc2-mpf2": { + "cves": [ + "CVE-2026-25896" + ], + "summary": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names", + "severity": "CRITICAL", + "description": "# Entity encoding bypass via regex injection in DOCTYPE entity names\n\n## Summary\n\nA dot (`.`) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (`<`, `>`, `&`, `"`, `'`) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.\n\n## Details\n\nThe fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed `.` (period), which is valid in XML names per the W3C spec.\n\nIn `DocTypeReader.js`, entity names are passed directly to `RegExp()`:\n\n```js\nentities[entityName] = {\n regx: RegExp(`&${entityName};`, \"g\"),\n val: val\n};\n```\n\nAn entity named `l.` produces the regex `/&l.;/g` where `.` matches **any character**, including the `t` in `<`. Since DOCTYPE entities are replaced before built-in entities, this shadows `<` entirely.\n\nThe same issue exists in `OrderedObjParser.js:81` (`addExternalEntities`), and in the v6 codebase - `EntitiesParser.js` has a `validateEntityName` function with a character blacklist, but `.` is not included:\n\n```js\n// v6 EntitiesParser.js line 96\nconst specialChar = \"!?\\\\/[]$%{}^&*()<>|+\"; // no dot\n```\n\n## Shadowing all 5 built-in entities\n\n| Entity name | Regex created | Shadows |\n|---|---|---|\n| `l.` | `/&l.;/g` | `<` |\n| `g.` | `/&g.;/g` | `>` |\n| `am.` | `/&am.;/g` | `&` |\n| `quo.` | `/&quo.;/g` | `"` |\n| `apo.` | `/&apo.;/g` | `'` |\n\n## PoC\n\n```js\nconst { XMLParser } = require(\"fast-xml-parser\");\n\nconst xml = `\n\">\n]>\n\n Hello <b>World</b>\n`;\n\nconst result = new XMLParser().parse(xml);\nconsole.log(result.root.text);\n// Hello b>World/b>\n```\n\nNo special parser options needed - `processEntities: true` is the default.\n\nWhen an app renders `result.root.text` in a page (e.g. `innerHTML`, template interpolation, SSR), the injected `` fires.\n\n`&` can be shadowed too:\n\n```js\nconst xml2 = `\n\n]>\nSELECT * FROM t WHERE name='O&Brien'`;\n\nconst r = new XMLParser().parse(xml2);\nconsole.log(r.root);\n// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'\n```\n\n## Impact\n\nThis is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.\n\n- Default config, no special options\n- Attacker can replace any `<` / `>` / `&` / `"` / `'` with arbitrary strings\n- Direct XSS vector when parsed XML content is rendered in a page\n- v5 and v6 both affected\n\n## Suggested fix\n\nEscape regex metacharacters before constructing the replacement regex:\n\n```js\nconst escaped = entityName.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\nentities[entityName] = {\n regx: RegExp(`&${escaped};`, \"g\"),\n val: val\n};\n```\n\nFor v6, add `.` to the blacklist in `validateEntityName`:\n\n```js\nconst specialChar = \"!?\\\\/[].{}^&*()<>|+\";\n```\n\n## Severity\n\n**CWE-185** (Incorrect Regular Expression)\n\n**CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)**\n\nEntity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions." + } + }, + "description": "", + "license": "MIT", + "tier": "free" + } + } +} \ No newline at end of file diff --git a/package.json b/package.json index 1e133ae..966310d 100644 --- a/package.json +++ b/package.json @@ -9,7 +9,9 @@ "lint": "pnpm --filter @icemap/web lint", "test": "pnpm --filter @icemap/web test", "prepare": "git config core.hooksPath .githooks || true", - "generate-user": "pnpm --filter @icemap/web exec tsx ../../scripts/generate-user.ts" + "generate-user": "pnpm --filter @icemap/web exec tsx ../../scripts/generate-user.ts", + "postinstall": "pnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm", + "dependencies": "pnpm dlx @socketsecurity/socket-patch apply --silent --ecosystems npm" }, "engines": { "node": ">=24.0.0",