Skip to content

fix: escape comment and CDATA delimiters when building XML (GHSA-gh4j-gqv2-49f6)#847

Merged
amitguptagwl merged 1 commit into
NaturalIntelligence:v4-maintenancefrom
greymoth-jp:backport-cdata-comment-escape
Jul 2, 2026
Merged

fix: escape comment and CDATA delimiters when building XML (GHSA-gh4j-gqv2-49f6)#847
amitguptagwl merged 1 commit into
NaturalIntelligence:v4-maintenancefrom
greymoth-jp:backport-cdata-comment-escape

Conversation

@greymoth-jp

Copy link
Copy Markdown

Purpose / Goal

Backport to the v4-maintenance line of the v5 fix for GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 (XML Comment and CDATA Injection via Unescaped Delimiters in XMLBuilder).

On v4 the builder writes comment and CDATA values verbatim:

  • src/xmlbuilder/json2xml.js: `<!--${val}-->` and `<![CDATA[${val}]]>`
  • src/xmlbuilder/orderedJs2Xml.js: the same two cases for preserveOrder

So a value that contains --> (or --) in a comment, or ]]> in a CDATA section, breaks out and injects arbitrary markup. On the current legacy release (4.5.6):

new XMLBuilder({ cdataPropName: '#cdata' })
  .build({ data: { '#cdata': 'a]]><script>alert(1)</script><![CDATA[b' } })
// => <data><![CDATA[a]]><script>alert(1)</script><![CDATA[b]]></data>

v5 fixed this in fast-xml-builder@1.1.5 (pulled in by 5.7.0, published 2026-04-17). v4 keeps the builder inline, so this applies the same neutralization directly:

  • CDATA: ]]> -> ]]]]><![CDATA[> (lossless split, round-trips)
  • comment: -- -> - -, and a trailing - -> - (a comment cannot legally contain --)

4.5.6 is the current legacy dist-tag and was published before 5.7.0, so it still reproduces; the fix was not backported.

Type

  • Bug Fix
  • Refactoring / Technology upgrade
  • New Feature

Regression tests added in spec/comments_spec.js and spec/cdata_spec.js covering both the default and preserveOrder builders. Full suite passes (285 specs, 0 failures). Happy to open a tracking issue first if you prefer.

…-gqv2-49f6)

Backport to the v4 maintenance line of the v5 fix for GHSA-gh4j-gqv2-49f6
(CVE-2026-41650). When a value placed in a comment node contains `-->`
(or `--`), or a CDATA node contains `]]>`, the builder emitted it verbatim,
so the value could break out of the comment/CDATA and inject arbitrary markup.

v5 addressed this in fast-xml-builder@1.1.5 (pulled in by 5.7.0). v4 keeps
the builder inline, so the same neutralization is applied directly:
- CDATA: `]]>` -> `]]]]><![CDATA[>` (lossless split)
- comment: `--` -> `- -`, trailing `-` -> `- ` (a comment cannot contain `--`)

Applied to both the default and preserveOrder builders, with tests.
@amitguptagwl amitguptagwl merged commit e561c21 into NaturalIntelligence:v4-maintenance Jul 2, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants