fix: escape comment and CDATA delimiters when building XML (GHSA-gh4j-gqv2-49f6)#847
Merged
amitguptagwl merged 1 commit intoJul 2, 2026
Conversation
…-gqv2-49f6) Backport to the v4 maintenance line of the v5 fix for GHSA-gh4j-gqv2-49f6 (CVE-2026-41650). When a value placed in a comment node contains `-->` (or `--`), or a CDATA node contains `]]>`, the builder emitted it verbatim, so the value could break out of the comment/CDATA and inject arbitrary markup. v5 addressed this in fast-xml-builder@1.1.5 (pulled in by 5.7.0). v4 keeps the builder inline, so the same neutralization is applied directly: - CDATA: `]]>` -> `]]]]><![CDATA[>` (lossless split) - comment: `--` -> `- -`, trailing `-` -> `- ` (a comment cannot contain `--`) Applied to both the default and preserveOrder builders, with tests.
e561c21
into
NaturalIntelligence:v4-maintenance
3 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose / Goal
Backport to the
v4-maintenanceline of the v5 fix for GHSA-gh4j-gqv2-49f6 / CVE-2026-41650 (XML Comment and CDATA Injection via Unescaped Delimiters inXMLBuilder).On v4 the builder writes comment and CDATA values verbatim:
src/xmlbuilder/json2xml.js:`<!--${val}-->`and`<![CDATA[${val}]]>`src/xmlbuilder/orderedJs2Xml.js: the same two cases forpreserveOrderSo a value that contains
-->(or--) in a comment, or]]>in a CDATA section, breaks out and injects arbitrary markup. On the currentlegacyrelease (4.5.6):v5 fixed this in
fast-xml-builder@1.1.5(pulled in by 5.7.0, published 2026-04-17). v4 keeps the builder inline, so this applies the same neutralization directly:]]>->]]]]><![CDATA[>(lossless split, round-trips)--->- -, and a trailing-->-(a comment cannot legally contain--)4.5.6 is the current
legacydist-tag and was published before 5.7.0, so it still reproduces; the fix was not backported.Type
Regression tests added in
spec/comments_spec.jsandspec/cdata_spec.jscovering both the default andpreserveOrderbuilders. Full suite passes (285 specs, 0 failures). Happy to open a tracking issue first if you prefer.