fix: escape all CDATA end sequences in builder#724
Open
spokodev wants to merge 1 commit into
Open
Conversation
escapeCDATA used a non-global string replace, so only the first `]]>` in a value was split. A second `]]>` survived intact and prematurely terminated the CDATA section (XML 1.0 section 2.7), producing invalid XML and corrupting the value on round-trip. Make the replace global so every `]]>` occurrence is split.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
cdata: trueis set on theBuilder, a string value that contains two or more]]>sequences produces invalid XML and is corrupted on round-trip.The first
]]>is split correctly, but the second one survives intact. Per XML 1.0 section 2.7, a CDATA section ends at the first literal]]>, so that second sequence prematurely terminates the section. The remaining text is then re-parsed as element content, dropping/garbling characters and (depending on the value) emitting malformed XML. A value with a single]]>round-trips fine, which is why this slipped through.Root cause
escapeCDATAuses a non-global stringreplace, which only replaces the first occurrence:Fix
Use a global regex so every
]]>occurrence is split:Applied to both the CoffeeScript source (
src/builder.coffee) and the committed compiled output (lib/builder.js); the compiled change matchescoffee -coutput exactly.Tests
Added a round-trip test asserting that a value with two
]]>sequences survivesBuilder({ cdata: true })->parseStringunchanged.'a ]]> b c]]>' == 'a ]]> b ]]> c'.