Validator: Fail for stray ampersand characters

Fixes #214
NaturalIntelligence · Dec 22, 2019 · a703c1a · a703c1a
1 parent 156d02f
commit a703c1a
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/spec/validator_spec.js b/spec/validator_spec.js
@@ -525,6 +525,23 @@ attribute2="attribute2"
         var result = validator.validate(xmlData).err;
         expect(result).toEqual(expected);
     });
+
+    it('should validate value with ampersand', function () {
+        const error = {
+            InvalidChar: "char '&' is not expected."
+        };
+        validate('<rootNode>jekyll &amp; hyde</rootNode>');
+        validate('<rootNode>jekyll &#123; hyde</rootNode>');
+        validate('<rootNode>jekyll &#x1945abcdef; hyde</rootNode>');
+        validate('<rootNode>jekyll &#x1ah; hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#1a; hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#123 hyde</rootNode>', error);
+        validate('<rootNode>jekyll &#1abcd hyde</rootNode>', error);
+        validate('<rootNode>jekyll & hyde</rootNode>', error);
+        validate('<rootNode>jekyll &aa</rootNode>', error);
+        validate('<rootNode>jekyll &abcdefghij1234567890;</rootNode>');
+        validate('<rootNode>jekyll &abcdefghij1234567890a;</rootNode>', error); // limit to 20 chars
+    });
 });
 
 describe("should not validate XML documents with multiple root nodes", () => {

diff --git a/src/validator.js b/src/validator.js
@@ -155,6 +155,11 @@ exports.validate = function (xmlData, options) {
             } else {
               break;
             }
+          } else if (xmlData[i] === '&') {
+            const afterAmp = validateAmpersand(xmlData, i);
+            if (afterAmp == -1)
+              return getErrorObject('InvalidChar', `char '&' is not expected.`, getLineNumberForPosition(xmlData, i));
+            i = afterAmp;
           }
         } //end of reading tag text value
         if (xmlData[i] === '<') {
@@ -332,6 +337,37 @@ function validateAttributeString(attrStr, options, regxAttrName) {
   return true;
 }
 
+function validateAmpersand(xmlData, i) {
+  // https://www.w3.org/TR/xml/#dt-charref
+  i++;
+  if (xmlData[i] === ';')
+    return -1;
+  if (xmlData[i] === '#') {
+    i++;
+    let re = /\d/;
+    if (xmlData[i] === 'x') {
+      i++;
+      re = /[\da-fA-F]/;
+    }
+    for (; i < xmlData.length; i++) {
+      if (xmlData[i] === ';')
+        return i;
+      if (!xmlData[i].match(re))
+        return -1;
+    }
+    return -1;
+  }
+  let count = 0;
+  for (; i < xmlData.length; i++, count++) {
+    if (xmlData[i].match(/\w/) && count < 20)
+      continue;
+    if (xmlData[i] === ';')
+      break;
+    return -1;
+  }
+  return i;
+}
+
 function getErrorObject(code, message, lineNumber) {
   return {
     err: {