use @nodable/entities to replace entities

Author: amitguptagwl

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion
 
+**5.5.13** (not released yet)
+- fix: entity replacement for numeric entities
+- use @nodable/entities to replace entities
+
 **5.5.12 / 2026-04-13**
 - Performance Improvement: update path-expression-matcher
   - use proxy pattern than Proxy class

package-lock.json

@@ -87,8 +87,9 @@
     }
   ],
   "dependencies": {
+    "@nodable/entities": "^1.0.1",
     "fast-xml-builder": "^1.1.4",
     "path-expression-matcher": "^1.5.0",
     "strnum": "^2.2.3"
   }
-}
+}

package.json

@@ -72,7 +72,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Entity expansion limit exceeded/);
+      }).toThrowError("[EntityReplacer] Entity expansion count limit exceeded: 1500 > 1000");
     });
 
     it("should allow expansions within limit", function () {
@@ -109,7 +109,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Entity expansion limit exceeded/);
+      }).toThrowError("[EntityReplacer] Entity expansion count limit exceeded: 1200 > 1000");
     });
   });
 
@@ -132,7 +132,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Total expanded content size exceeded/);
+      }).toThrowError("[EntityReplacer] Expanded content length limit exceeded: 149250 > 100000");
     });
 
     it("should allow expansions within maxExpandedLength", function () {
@@ -188,7 +188,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Entity expansion limit exceeded/);
+      }).toThrowError("[EntityReplacer] Entity expansion count limit exceeded: 5000 > 1000");
     });
 
     it("should prevent billion laughs with maxExpandedLength", function () {
@@ -205,7 +205,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Total expanded content size exceeded/);
+      }).toThrowError("[EntityReplacer] Expanded content length limit exceeded: 199000 > 100000");
     });
   });
 
@@ -407,7 +407,7 @@ describe("XMLParser entity expansion security", function () {
 
       expect(function () {
         parser.parse(xmlData);
-      }).toThrowError(/Total expanded content size exceeded/);
+      }).toThrowError("[EntityReplacer] Expanded content length limit exceeded: 19400 > 10000");
     });
   });
 

spec/entities_security_spec.js

@@ -96,6 +96,6 @@ describe("XMLParser", function () {
     expect(function () {
       const result = parser.parse(xmlData);
       console.log(JSON.stringify(result, null, 4));
-    }).toThrowError(/Entity expansion limit exceeded: 30 > 20/);
+    }).toThrowError("[EntityReplacer] Entity expansion count limit exceeded: 30 > 20");
   });
 });

spec/html_spec.js

@@ -8,6 +8,7 @@ import toNumber from "strnum";
 import getIgnoreAttributesFn from "../ignoreAttributes.js";
 import { Expression, Matcher } from 'path-expression-matcher';
 import { ExpressionSet } from 'path-expression-matcher';
+import EntityReplacer, { COMMON_HTML, NUMERIC_ENTITIES } from '@nodable/entities';
 
 // const regx =
 //   '<((!\\[CDATA\\[([\\s\\S]*?)(]]>))|((NAME:)?(NAME))([^>]*)>|((\\/)(NAME)\\s*>))([^<]*)'
@@ -72,32 +73,6 @@ export default class OrderedObjParser {
     this.options = options;
     this.currentNode = null;
     this.tagsNodeStack = [];
-    this.docTypeEntities = {};
-    this.lastEntities = {
-      "apos": { regex: /&(apos|#39|#x27);/g, val: "'" },
-      "gt": { regex: /&(gt|#62|#x3E);/g, val: ">" },
-      "lt": { regex: /&(lt|#60|#x3C);/g, val: "<" },
-      "quot": { regex: /&(quot|#34|#x22);/g, val: "\"" },
-    };
-    this.ampEntity = { regex: /&(amp|#38|#x26);/g, val: "&" };
-    this.htmlEntities = {
-      "space": { regex: /&(nbsp|#160);/g, val: " " },
-      // "lt" : { regex: /&(lt|#60);/g, val: "<" },
-      // "gt" : { regex: /&(gt|#62);/g, val: ">" },
-      // "amp" : { regex: /&(amp|#38);/g, val: "&" },
-      // "quot" : { regex: /&(quot|#34);/g, val: "\"" },
-      // "apos" : { regex: /&(apos|#39);/g, val: "'" },
-      "cent": { regex: /&(cent|#162);/g, val: "¢" },
-      "pound": { regex: /&(pound|#163);/g, val: "£" },
-      "yen": { regex: /&(yen|#165);/g, val: "¥" },
-      "euro": { regex: /&(euro|#8364);/g, val: "€" },
-      "copyright": { regex: /&(copy|#169);/g, val: "©" },
-      "reg": { regex: /&(reg|#174);/g, val: "®" },
-      "inr": { regex: /&(inr|#8377);/g, val: "₹" },
-      "num_dec": { regex: /&#([0-9]{1,7});/g, val: (_, str) => fromCodePoint(str, 10, "&#") },
-      "num_hex": { regex: /&#x([0-9a-fA-F]{1,6});/g, val: (_, str) => fromCodePoint(str, 16, "&#x") },
-    };
-    this.addExternalEntities = addExternalEntities;
     this.parseXml = parseXml;
     this.parseTextData = parseTextData;
     this.resolveNameSpace = resolveNameSpace;
@@ -111,6 +86,16 @@ export default class OrderedObjParser {
     this.entityExpansionCount = 0;
     this.currentExpandedLength = 0;
 
+    this.entityReplacer = new EntityReplacer({
+      default: true,
+      // amp:     true,
+      system: this.options.htmlEntities ? { ...COMMON_HTML, ...NUMERIC_ENTITIES } : {},
+      maxTotalExpansions: this.options.processEntities.maxTotalExpansions,
+      maxExpandedLength: this.options.processEntities.maxExpandedLength,
+      applyLimitsTo: "all",
+      //postCheck: resolved => resolved
+    });
+
     // Initialize path matcher for path-expression-matcher
     this.matcher = new Matcher();
 
@@ -141,17 +126,6 @@ export default class OrderedObjParser {
 
 }
 
-function addExternalEntities(externalEntities) {
-  const entKeys = Object.keys(externalEntities);
-  for (let i = 0; i < entKeys.length; i++) {
-    const ent = entKeys[i];
-    const escaped = ent.replace(/[.\-+*:]/g, '\\.');
-    this.lastEntities[ent] = {
-      regex: new RegExp("&" + escaped + ";", "g"),
-      val: externalEntities[ent]
-    }
-  }
-}
 
 /**
  * @param {string} val
@@ -308,9 +282,6 @@ const parseXml = function (xmlData) {
   // Reset entity expansion counters for this document
   this.entityExpansionCount = 0;
   this.currentExpandedLength = 0;
-  this.docTypeEntitiesKeys = [];
-  this.lastEntitiesKeys = Object.keys(this.lastEntities);
-  this.htmlEntitiesKeys = this.options.htmlEntities ? Object.keys(this.htmlEntities) : [];
   const options = this.options;
   const docTypeReader = new DocTypeReader(options.processEntities);
   const xmlLen = xmlData.length;
@@ -390,8 +361,7 @@ const parseXml = function (xmlData) {
       } else if (c1 === 33
         && xmlData.charCodeAt(i + 2) === 68) { //'!D'
         const result = docTypeReader.readDocType(xmlData, i);
-        this.docTypeEntities = result.entities;
-        this.docTypeEntitiesKeys = Object.keys(this.docTypeEntities) || []
+        this.entityReplacer.addInputEntities(result.entities);
         i = result.i;
       } else if (c1 === 33
         && xmlData.charCodeAt(i + 2) === 91) { // '!['
@@ -632,78 +602,7 @@ function replaceEntitiesValue(val, tagName, jPath) {
     }
   }
 
-  // Replace DOCTYPE entities
-  for (const entityName of this.docTypeEntitiesKeys) {
-    const entity = this.docTypeEntities[entityName];
-    const matches = val.match(entity.regx);
-
-    if (matches) {
-      // Track expansions
-      this.entityExpansionCount += matches.length;
-
-      // Check expansion limit
-      if (entityConfig.maxTotalExpansions &&
-        this.entityExpansionCount > entityConfig.maxTotalExpansions) {
-        throw new Error(
-          `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}`
-        );
-      }
-
-      // Store length before replacement
-      const lengthBefore = val.length;
-      val = val.replace(entity.regx, entity.val);
-
-      // Check expanded length immediately after replacement
-      if (entityConfig.maxExpandedLength) {
-        this.currentExpandedLength += (val.length - lengthBefore);
-
-        if (this.currentExpandedLength > entityConfig.maxExpandedLength) {
-          throw new Error(
-            `Total expanded content size exceeded: ${this.currentExpandedLength} > ${entityConfig.maxExpandedLength}`
-          );
-        }
-      }
-    }
-  }
-  if (val.indexOf('&') === -1) return val;
-  // Replace standard entities
-  for (const entityName of this.lastEntitiesKeys) {
-    const entity = this.lastEntities[entityName];
-    const matches = val.match(entity.regex);
-    if (matches) {
-      this.entityExpansionCount += matches.length;
-      if (entityConfig.maxTotalExpansions &&
-        this.entityExpansionCount > entityConfig.maxTotalExpansions) {
-        throw new Error(
-          `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}`
-        );
-      }
-    }
-    val = val.replace(entity.regex, entity.val);
-  }
-  if (val.indexOf('&') === -1) return val;
-
-  // Replace HTML entities if enabled
-  for (const entityName of this.htmlEntitiesKeys) {
-    const entity = this.htmlEntities[entityName];
-    const matches = val.match(entity.regex);
-    if (matches) {
-      //console.log(matches);
-      this.entityExpansionCount += matches.length;
-      if (entityConfig.maxTotalExpansions &&
-        this.entityExpansionCount > entityConfig.maxTotalExpansions) {
-        throw new Error(
-          `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}`
-        );
-      }
-    }
-    val = val.replace(entity.regex, entity.val);
-  }
-
-  // Replace ampersand entity last
-  val = val.replace(this.ampEntity.regex, this.ampEntity.val);
-
-  return val;
+  return this.entityReplacer.replace(val);
 }
 
 

src/xmlparser/OrderedObjParser.js

@@ -32,7 +32,7 @@ export default class XMLParser {
             }
         }
         const orderedObjParser = new OrderedObjParser(this.options);
-        orderedObjParser.addExternalEntities(this.externalEntities);
+        orderedObjParser.entityReplacer.setExternalEntities(this.externalEntities);
         const orderedResult = orderedObjParser.parseXml(xmlData);
         if (this.options.preserveOrder || orderedResult === undefined) return orderedResult;
         else return prettify(orderedResult, this.options, orderedObjParser.matcher, orderedObjParser.readonlyMatcher);

src/xmlparser/XMLParser.js

@@ -1068,6 +1068,11 @@
     "@jridgewell/resolve-uri" "^3.1.0"
     "@jridgewell/sourcemap-codec" "^1.4.14"
 
+"@nodable/entities@^1.0.1":
+  version "1.0.1"
+  resolved "https://registry.npmjs.org/@nodable/entities/-/entities-1.0.1.tgz"
+  integrity sha512-P+QVl83POYu47navqBcOSbjJzYlGQNXwzZXDAt3im6Kzs8tn3twmDKHuAEjB9zpQCF45Hc1xY4ND0lQAV12NXA==
+
 "@nodelib/fs.scandir@2.1.5":
   version "2.1.5"
   resolved "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz"