report more non well-formed cases #519 / #45 / #125 / #467 BREAKING-CHANGE: Reports more not well-formed documents as fatalError and drop broken support for optional and unclosed tags in HTML.

Other

Translate/drop non English comments #518
use node v16 for development #517

Thank you, @brodybits, @cbettinger, @josecarlosrx, for your contributions

0.9.0-beta.10

Fixed

dom: prevent iteration over deleted items #514/ #499

Chore

use prettier plugin for jsdoc #513

Thank you, @qtow, @shunkica, @homer0, for your contributions

0.8.10

Fixed

dom: prevent iteration over deleted items #514/ #499

Thank you, @qtow, for your contributions

0.7.13

Fixed

dom: prevent iteration over deleted items #514/ #499

Thank you, @qtow, for your contributions

0.9.0-beta.9

Fixed

Set nodeName property in ProcessingInstruction #509 / #505
preserve DOCTYPE internal subset #498 / #497 / #117
BREAKING CHANGES: Many documents that were previously accepted by xmldom, esecially non well-formed ones are no longer accepted. Some issues that were formerly reported as errors are now a fatalError.
DOMParser: Align parseFromString errors with specs #454

Chore

stop running mutation tests using stryker #496
make toErrorSnapshot windows compatible #503

Thank you, @cjbarth, @shunkica, @pmahend1, @niklasl, for your contributions

0.8.9

Fixed

Set nodeName property in ProcessingInstruction #509 / #505

Thank you, @cjbarth, for your contributions

0.7.12

Fixed

Set nodeName property in ProcessingInstruction #509 / #505

Thank you, @cjbarth, for your contributions

0.9.0-beta.8

Fixed

Throw DOMException when calling removeChild with invalid parameter #494 / #135

BREAKING CHANGE: Previously it was possible (but not documented) to call Node.removeChild with any node in the tree, and with certain exceptions, it would work. This is no longer the case: calling Node.removeChild with an argument that is not a direct child of the node that it is called from, will throw a NotFoundError DOMException, as it is described by the specs.

Thank you, @noseworthy, @davidmc24, for your contributions

0.9.0-beta.7

Feature

Add compareDocumentPosition method from level 3 spec. #488

Fixed

getAttribute and getAttributeNS should return null (#477) #46
several issues in NamedNodeMap and Element (#482) #46
properly parse closing where the last attribute has no value #485 / #486
extend list of HTML entities #489

BREAKING CHANGE: Iteration over attributes now happens in the right order and non-existing attributes now return null instead of undefined. THe same is true for the namepsaceURI and prefix of Attr nodes. All of the changes are fixing misalignment with the DOM specs, so if you expected it to work as specified, nothing should break for you.

Chore

update multiple devDependencies
Configure jest (correctly) and wallaby #481 / #483

Thank you, @bulandent, @zorkow, for your contributions

0.8.8

Fixed

extend list of HTML entities #489

Thank you, @zorkow, for your contributions

0.7.11

Fixed

extend list of HTML entities #489

Thank you, @zorkow, for your contributions

0.8.7

Fixed

properly parse closing where the last attribute has no value #485 / #486

Thank you, @bulandent, for your contributions

0.7.10

Fixed

properly parse closing where the last attribute has no value #485 / #486

Thank you, @bulandent, for your contributions

0.8.6

Fixed

Properly check nodes before replacement #457 / #455 / #456

Thank you, @edemaine, @pedro-l9, for your contributions

0.7.9

Fixed

Properly check nodes before replacement #457 / #455 / #456

Thank you, @edemaine, @pedro-l9, for your contributions

0.9.0-beta.6

Fixed

Properly check nodes before replacement #457 / #455 / #456

Thank you, @edemaine, @pedro-l9, for your contributions

0.9.0-beta.5

Fixed

fix: Restore ES5 compatibility #452 / #453

Thank you, @fengxinming, for your contributions

0.8.5

Fixed

fix: Restore ES5 compatibility #452 / #453

Thank you, @fengxinming, for your contributions

0.7.8

Fixed

fix: Restore ES5 compatibility #452 / #453

Thank you, @fengxinming, for your contributions

0.9.0-beta.4

Fixed

Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353 In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly. In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead. This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior. Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Chore

update multiple devDependencies
Add eslint-plugin-node for lib #448 / #190
style: Apply prettier to all code #447 / #29 / #130

Thank you, @XhmikosR, @awwright, @frumioj, @cjbarth, @markgollnick for your contributions

0.8.4

Fixed

Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353 In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly. In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead. This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior. Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.7.7

Fixed

Security: Prevent inserting DOM nodes when they are not well-formed CVE-2022-39353 In case such a DOM would be created, the part that is not well-formed will be transformed into text nodes, in which xml specific characters like < and > are encoded accordingly. In the upcoming version 0.9.0 those text nodes will no longer be added and an error will be thrown instead. This change can break your code, if you relied on this behavior, e.g. multiple root elements in the past. We consider it more important to align with the specs that we want to be aligned with, considering the potential security issues that might derive from people not being aware of the difference in behavior. Related Spec: https://dom.spec.whatwg.org/#concept-node-ensure-pre-insertion-validity

Thank you, @frumioj, @cjbarth, @markgollnick for your contributions

0.9.0-beta.3

Fixed

fix: Stop adding tags after incomplete closing tag #445 / #416 BREAKING CHANGE: It no longer reports an error when parsing HTML containing incomplete closing tags, to align the behavior with the one in the browser. BREAKING CHANGE: If your code relied on not well-formed XML to be parsed and include subsequent tags, this will no longer work.
fix: Avoid bidirectional characters in source code #440

Other

ci: Add CodeQL scan #444

Thank you, @ACN-kck, @mgerlach for your contributions

0.7.6

Fixed

Avoid iterating over prototype properties #441 / #437 / #436

Thank you, @jftanner, @Supraja9726 for your contributions

0.8.3

Fixed

Avoid iterating over prototype properties #437 / #436

Thank you, @Supraja9726 for your contributions

0.9.0-beta.2

Fixed

Avoid iterating over prototype properties #437 / #436

Thank you, @Supraja9726 for your contributions

0.9.0-beta.1

Fixed

Only use HTML rules if mimeType matches #338, fixes #203

In the living specs for parsing XML and HTML, that this library is trying to implement, there is a distinction between the different types of documents being parsed: There are quite some rules that are different for parsing, constructing and serializing XML vs HTML documents.

So far xmldom was always "detecting" whether "the HTML rules should be applied" by looking at the current namespace. So from the first time an the HTML default namespace (http://www.w3.org/1999/xhtml) was found, every node was treated as being part of an HTML document. This misconception is the root cause for quite some reported bugs.

BREAKING CHANGE: HTML rules are no longer applied just because of the namespace, but require the mimeType argument passed to DOMParser.parseFromString(source, mimeType) to match 'text/html'. Doing so implies all rules for handling casing for tag and attribute names when parsing, creation of nodes and searching nodes.

BREAKING CHANGE: Correct the return type of DOMParser.parseFromString to Document | undefined. In case of parsing errors it was always possible that "the returned Document" has not been created. In case you are using Typescript you now need to handle those cases.

BREAKING CHANGE: The instance property DOMParser.options is no longer available, instead use the individual readonly property per option (assign, domHandler, errorHandler, normalizeLineEndings, locator, xmlns). Those also provides the default value if the option was not passed. The 'locator' option is now just a boolean (default remains true).

BREAKING CHANGE: The following methods no longer allow a (non spec compliant) boolean argument to toggle "HTML rules":

XMLSerializer.serializeToString
Node.toString
Document.toString

The following interfaces have been implemented: DOMImplementation now implements all methods defined in the DOM spec, but not all of the behavior is implemented (see docstring):

createDocument creates an "XML Document" (prototype: Document, property type is 'xml')
createHTMLDocument creates an "HTML Document" (type/prototype: Document, property type is 'html').
- when no argument is passed or the first argument is a string, the basic nodes for an HTML structure are created, as specified
- when the first argument is false no child nodes are created

Document now has two new readonly properties as specified in the DOM spec:

contentType which is the mime-type that was used to create the document
type which is either the string literal 'xml' or 'html'

MIME_TYPE (/lib/conventions.js):

hasDefaultHTMLNamespace test if the provided string is one of the miem types that implies the default HTML namespace: text/html or application/xhtml+xml

Thank you @weiwu-zhang for your contributions

Chore

update multiple devDependencies

0.8.2

Fixed

fix(dom): Serialize > as specified (#395) #58

Other

docs: Add nodeType values to public interface description #396
test: Add executable examples for node and typescript #317
fix(dom): Serialize > as specified #395
chore: Add minimal Object.assign ponyfill #379
docs: Refine release documentation #378
chore: update various dev dependencies

Thank you @niklasl, @cburatto, @SheetJSDev, @pyrsmk for your contributions

0.8.1

Fixes

Only use own properties in entityMap #374

Docs

Add security policy #365
changelog: Correct contributor name and link #366
Describe release/publish steps #358, #376
Add snyk package health badge #360

0.8.0

Fixed

Normalize all line endings according to XML specs 1.0 and 1.1
BREAKING CHANGE: Certain combination of line break characters are normalized to a single \n before parsing takes place and will no longer be preserved.
- #303 / #307
- #49, #97, #324 / #314
XMLSerializer: Preserve whitespace character references #284 / #310
BREAKING CHANGE: If you relied on the not spec compliant preservation of literal \t, \n or \r in attribute values. To preserve those you will have to create XML that instead contains the correct numerical (or hexadecimal) equivalent (e.g. 	, 
, ).
Drop deprecated exports DOMImplementation and XMLSerializer from lib/dom-parser.js #53 / #309 BREAKING CHANGE: Use the one provided by the main package export.
dom: Remove all links as part of removeChild #343 / #355

Chore

ci: Restore latest tested node version to 16.x #325
ci: Split test and lint steps into jobs #111 / #304
Pinned and updated devDependencies

Thank you @marrus-sh, @victorandree, @mdierolf, @tsabbay, @fatihpense for your contributions

0.7.5

Commits

Fixes:

Preserve default namespace when serializing #319 / #321 Thank you, @lupestro

0.7.4

Commits

Fixes:

Restore ability to parse __prototype__ attributes #315 Thank you, @dsimpsonOMF

0.7.3

Commits

Fixes:

Add doctype when parsing from string #277 / #301
Correct typo in error message #294 Thank you, @rrthomas

Refactor:

Improve exports & require statements, new main package entry #233

Docs:

Fix Stryker badge #298
Fix link to help-wanted issues #299

Chore:

Execute stryker:dry-run on branches #302
Fix stryker config #300
Split test and lint scripts #297
Switch to stryker dashboard owned by org #292

0.7.2

Commits

Fixes:

Types: Add index.d.ts to packaged files #288 Thank you, @forty

0.7.1

Commits

Fixes:

Types: Copy types from DefinitelyTyped #283 Thank you, @kachkaev

Chore:

package.json: remove author, maintainers, etc. #279

0.7.0

Commits

Due to #271 this version was published as

unscoped xmldom package to github (git tags 0.7.0 and 0.7.0+unscoped)
scoped @xmldom/xmldom package to npm (git tag 0.7.0+scoped) For more details look at #278

Fixes:

Security: Misinterpretation of malicious XML input CVE-2021-32796
Implement Document.getElementsByClassName as specified #213, thank you, @ChALkeR
Inherit namespace prefix from parent when required #268
Handle whitespace in closing tags #267
Update DOMImplementation according to recent specs #210
BREAKING CHANGE: Only if you "passed features to be marked as available as a constructor arguments" and expected it to "magically work".
No longer serializes any namespaces with an empty URI #244
(related to #168 released in 0.6.0)
BREAKING CHANGE: Only if you rely on "unsetting" a namespace prefix by setting it to an empty string
Set localName as part of Document.createElement #229, thank you, @rrthomas

CI

We are now additionally running tests against node v16
Stryker tests on the master branch now run against node v14

Docs

Describe relations with and between specs: #211, #247

0.6.0

Commits

Fixes

Stop serializing empty namespace values like xmlns:ds="" #168
BREAKING CHANGE: If your code expected empty namespaces attributes to be serialized.
Thank you, @pdecat and @FranckDepoortere
Escape < to < when serializing attribute values #198 / #199

0.5.0

Commits

Fixes

Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)
- Improve error reporting; throw on duplicate attribute
  BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them. It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.
  
  To accomplish this and also be able to verify it in tests I needed to
  - create a new Error type ParseError and export it
  - Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
  - export DOMHandler constructor as __DOMHandler
- Preserve quotes in DOCTYPE declaration Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes. BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping. (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)
  
  https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)
Fix breaking preprocessors' directives when parsing attributes #171
fix(dom): Escape ]]> when serializing CharData #181
Switch to (only) MIT license (drop problematic LGPL license option) #178
Export DOMException; remove custom assertions; etc. #174

Docs

Update MDN links in readme.md #188

0.4.0

Commits

Fixes

BREAKING Restore   behavior from v0.1.27 #67
BREAKING Typecheck source param before parsing #113
Include documents in package files list #156
Preserve doctype with sysid #144
Remove ES6 syntax from getElementsByClassName #91
Revert "Add lowercase of åäö in entityMap" due to duplicate entries #84
fix: Convert all line separators to LF #66

Docs

Update CHANGELOG.md through version 0.3.0 #63
Update badges #78
Add .editorconfig file #104
Add note about import #79
Modernize & improve the example in readme.md #81

CI

Add Stryker Mutator #70
Add Stryker action to update dashboard #77
Add Node GitHub action workflow #64
add & enable eslint #106
Use eslint-plugin-es5 to enforce ES5 syntax #107
Recover vows tests, drop proof tests #59
Add jest tessuite and first tests #114
Add jest testsuite with xmltest cases #112
Configure Renovate #108
Test European HTML entities #86
Updated devDependencies

Other

Remove files that are not of any use #131, #65, #33

0.3.0

Commits

BREAKING Node >=10.x is now required.
BREAKING Remove component.json (deprecated package manager https://github.com/componentjs/guide)
BREAKING Move existing sources into lib subdirectory.
POSSIBLY BREAKING Introduce files entry in package.json and remove use of .npmignore.
Add Document.getElementsByClassName.
Add Node to the list of exports
Add lowercase of åäö in entityMap.
Move CHANGELOG to markdown file.
Move LICENSE to markdown file.

0.2.1

Commits

Correct homepage, repository and bugs URLs in package.json.

0.2.0

Commits

Includes all BREAKING changes introduced in xmldom-alpha@v0.1.28 by the original authors.
POSSIBLY BREAKING remove the Object.create check from the _extends method of dom.js that added a __proto__ property ().
POSSIBLY BREAKING remove code that added a __proto__ property
formatting/corrections in package.json

0.1.31

Commits

The patch versions (v0.1.29 - v0.1.31) that have been released on the v0.1.x branch, to reflect the changed maintainers, are branched off from v0.1.27 so they don't include the breaking changes introduced in xmldom-alpha@v0.1.28:

Maintainer changes

After the last commit to the original repository https://github.com/jindw/xmldom on the 9th of May 2017, the first commit to https://github.com/xmldom/xmldom is from the 19th of December 2019. The fork has been announced in the original repository on the 2nd of March 2020.

The versions listed below have been published to one or both of the following packages:

It is currently not planned to continue publishing the xmldom-alpha package.

The new maintainers did not invest time to understand changes that led to the last xmldom version 0.1.27 published by the original maintainer, but consider it the basis for their work. A timeline of all the changes that happened from that version until 0.3.0 is available in https://github.com/xmldom/xmldom/issues/62. Any related questions should be asked there.

0.1.28

Commits

Published by @jindw on the 9th of May 2017 as

xmldom-alpha@0.1.28
BREAKING includes regression regarding   (issue #57)
Fix license field in package.json
Conditional converting of HTML entities
Fix dom.js serialization issue for missing document element (example that failed on toString() before this change)
Add new module entities.js

0.1.27

Published by @jindw on the 28th of Nov 2016 as

xmldom@0.1.27
xmldom-alpha@0.1.27
Various bug fixes.

0.1.26

Published on the 18th of Nov 2016 as xmldom@0.1.26

Details unknown

0.1.25

Published on the 18th of Nov 2016 as

xmldom@0.1.25
Details unknown

0.1.24

Published on the 27th of November 2016 as

xmldom@0.1.24
xmldom-alpha@0.1.24
Added node filter.

0.1.23

Published on the 5th of May 2016 as

xmldom-alpha@0.1.23
Add namespace support for nest node serialize.
Various other bug fixes.

0.1.22

Merge XMLNS serialization.
Remove \r from source string.
Print namespaces for child elements.
Switch references to nodeType to use named constants.
Add nodelist toString support.

0.1.21

Fix serialize bug.

0.1.20

Optimize invalid XML support.
Add toString sorter for attributes output.
Add html self closed node button.
Add * NS support for getElementsByTagNameNS.
Convert attribute's value to string in setAttributeNS.
Add support for HTML entities for HTML docs only.
Fix TypeError when Document is created with DocumentType.

0.1.19

Fix infinite loop on unclosed comment (jindw/xmldom#68)
Add error report for unclosed tag.
Various other fixes.

0.1.18

Add default ns support.
parseFromString now renders entirely plain text documents as textNode.
Enable option to ignore white space on parsing.

0.1.17

Details missing for this and potential earlier version

0.1.16

Correctly handle multibyte Unicode greater than two byts. #57. #56.
Initial unit testing and test coverage. #53. #46. #19.
Create Bower component.json #52.

0.1.8

Add: some test case from node-o3-xml(excludes xpath support)
Fix: remove existed attribute before setting (bug introduced in v0.1.5)
Fix: index direct access for childNodes and any NodeList collection(not w3c standard)
Fix: remove last child bug

43 KiB Raw Blame History

Changelog

Fixed

Chore

Added

Fixed

Performance

Chore

Fixed

Chore

Fixed

Fixed

Docs

Fixed

Docs

Chore

Changelog

Feature

Fixed

Fixed

Other

Features

Fixed

Other

Fixed

Other

Fixed

Chore

Fixed

Fixed

Fixed

Chore

Fixed

Fixed

Fixed

Feature

Fixed

Chore

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Chore

Fixed

Fixed

Fixed

Other

Fixed

Fixed

Fixed

Fixed

Chore

Fixed

Other

Fixes

Docs

Fixed

Chore

0.7.5

Fixes:

0.7.4

Fixes:

0.7.3

Fixes:

Refactor:

Docs:

Chore:

0.7.2

Fixes:

0.7.1

Fixes:

Chore:

0.7.0

43 KiB

Raw Blame History