New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix!: Avoid empty namespace value like xmlns:ds="" #168
fix!: Avoid empty namespace value like xmlns:ds="" #168
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. It would be really helpful if you can add a test that demonstrates the problem that is resolved by this proposal.
Hi @brodybits, pushed the test that I had implemented locally before finding the old PR jindw/xmldom#236. Without the code change, it would fail with:
|
Thanks for the quick update. It does look good to me. I would appreciate a quick review from another committer if anyone has time. |
@pdecat thank you for your contribution.
|
Exactly.
Yes, here is a new test for this:
Output from master:
That would probably be better indeed! |
Same test is green from this branch. Actually, isn't the issue really only in the serialization of the XML, where invalid XML is generated if the namespace URI is empty. |
Thx for the fast replies.
Which is also the behavior specified in the "Living standard" (which is not what xmldom is currently claiming to support, but is the most recent standard):
So I'm not sure how to decide wether it's a good idea to add that second test. If possible we should check if the standard xmldom tries to implement allows such DOMs to be created, and if not we should also change xmldom to fail on them, but this would be a much bigger change in behavior than this PR. Since xmldom currently supports creating such doms, your fix is totally valid and prevents output of invalid XML. So @brodybits I'm all for landing and releasing it. |
Hi @brodybits @karfau, I expected this PR would have been merged before the 0.5.0 release. Is the fixed CVE in that release the reason it was released in a hurry without going through all the milestone's PRs? |
…ld_upstream_pr-236_avoid_empty_namespace
My apologies. I just pushed an update to merge from master and took the liberty to update the title according to "Conventional Commits". Note that the bang ( @karfau I think we should merge this now. @pdecat I would like to ask for one more favor: please ping us again in case we do not merge this in the next 2-3 days. This has fallen though the cracks for way too long!! |
@brodybits Merged it, but just realized that it's not a refactoring, which by definition never changes behavior. |
@brodybits I checked the 0.5.0 release and cleaned it up, the only thing left is to update the changelog. |
FTR, this fix is not complete as altering the added test case a bit reveals the issue is still present in some cases:
|
Thanks for the altered test case. It would be extremely helpful if you could raise a new issue to help us track the problem. |
Opened #243 |
Since this is the original issue I will put this information remarks here: Just today I stumbled across two confusing details in the "Scoping" section of the XML namespaces spec:
So I again checked the section that we previously used to reason for the fix it says (emphasis mine):
I think the case described in the scoping section is really a niche case, so I'm not to worried for now. But we just implemented
so the example provided in the spec will not fail to be parsed and will even be valid when serializing into a string again, since we skip serializing the "redeclared empty value namespace". I'm just putting it here for completeness sake and for people to find this information in the future. |
This PR resolves an issue where empty namespaces are added when parsing/serializing XML.
This a port of the old jindw/xmldom#236 PR from the previous upstream repository.
Description from the original PR: