support maxNestedTags

amitguptagwl · amitguptagwl · commit 60835a4c7279 · 2026-02-25T10:02:32.000+05:30
diff --git a/docs/v4/2.XMLparseOptions.md b/docs/v4/2.XMLparseOptions.md
@@ -477,6 +477,62 @@ Output
 }
 ```
 
+## maxNestedTags
+Though it is not recommended to use deeply nested XML, but if you are using it then you can set `maxNestedTags` option to limit the nesting depth.
+
+Eg
+```js
+const xmlDataStr = `
+    <root>
+        <a>
+            <b>
+                <c>
+                    <d>
+                        <e>
+                            <f>
+                                <g>
+                                    <h>
+                                        <i>
+                                            <j>
+                                                <k>
+                                                    <l>
+                                                        <m>
+                                                            <n>
+                                                                <o>
+                                                                    <p>
+                                                                        <q>
+                                                                            <r>
+                                                                                <s/>
+                                                                            </r>
+                                                                        </q>
+                                                                    </p>
+                                                                </o>
+                                                            </n>
+                                                        </m>
+                                                    </l>
+                                                </k>
+                                            </j>
+                                        </i>
+                                    </h>
+                                </g>
+                            </f>
+                        </e>
+                    </d>
+                </c>
+            </b>
+        </a>
+    </root>`;
+
+const options = {
+    maxNestedTags: 10 //default is 100
+};
+const parser = new XMLParser(options);
+const output = parser.parse(xmlDataStr);
+```
+Output
+```bash
+Error: Maximum nested tags exceeded
+```
 
 ## numberParseOptions
 FXP uses [strnum](https://github.com/NaturalIntelligence/strnum) library to parse string into numbers. This property allows you to set configuration for strnum package.
diff --git a/lib/fxp.d.cts b/lib/fxp.d.cts
@@ -278,6 +278,13 @@ type X2jOptions = {
    * metadata about each the node in the XML file.
    */
   captureMetaData?: boolean;
+
+  /**
+   * Maximum number of nested tags
+   * 
+   * Defaults to `100`
+   */
+  maxNestedTags?: number;
 };
 
 type strnumOptions = {
diff --git a/spec/nfr_spec.js b/spec/nfr_spec.js
@@ -23,4 +23,21 @@ describe("XMLParser", function () {
     //   console.log(JSON.stringify(result, null,4));
     expect(result).toEqual(expected);
   });
+
+  it("should throw error for deeply nested XML", function () {
+
+    const depth = 102;
+    const xmlData = '<a>'.repeat(depth) + 'x' + '</a>'.repeat(depth);
+
+    const parser = new XMLParser();
+    expect(() => parser.parse(xmlData)).toThrowError("Maximum nested tags exceeded");
+  });
+  it("should not throw error when max depth is not reached", function () {
+
+    const depth = 100;
+    const xmlData = '<a>'.repeat(depth) + 'x' + '</a>'.repeat(depth);
+
+    const parser = new XMLParser({ maxNestedTags: 101 });
+    parser.parse(xmlData);
+  });
 });
diff --git a/src/fxp.d.ts b/src/fxp.d.ts
@@ -278,8 +278,17 @@ export type X2jOptions = {
    * metadata about each the node in the XML file.
    */
   captureMetaData?: boolean;
+
+  /**
+   * Maximum number of nested tags
+   * 
+   * Defaults to `100`
+   */
+  maxNestedTags?: number;
 };
 
+
+
 export type strnumOptions = {
   hex: boolean;
   leadingZeros: boolean,
diff --git a/src/xmlparser/OrderedObjParser.js b/src/xmlparser/OrderedObjParser.js
@@ -19,7 +19,7 @@ export default class OrderedObjParser {
     this.options = options;
     this.currentNode = null;
     this.tagsNodeStack = [];
-    this.docTypeEntities = {};
+    this.docTypeEntities = Object.create(null);
     this.lastEntities = {
       "apos": { regex: /&(apos|#39|#x27);/g, val: "'" },
       "gt": { regex: /&(gt|#62|#x3E);/g, val: ">" },
@@ -150,7 +150,7 @@ function buildAttributesMap(attrStr, jPath, tagName) {
 
     const matches = getAllMatches(attrStr, attrsRegx);
     const len = matches.length; //don't make it inline
-    const attrs = {};
+    const attrs = Object.create(null);
     for (let i = 0; i < len; i++) {
       const attrName = this.resolveNameSpace(matches[i][1]);
       if (this.ignoreAttributesFn(attrName, jPath)) {
@@ -192,7 +192,7 @@ function buildAttributesMap(attrStr, jPath, tagName) {
       return;
     }
     if (this.options.attributesGroupName) {
-      const attrCollection = {};
+      const attrCollection = Object.create(null);
       attrCollection[this.options.attributesGroupName] = attrs;
       return attrCollection;
     }
@@ -409,6 +409,9 @@ const parseXml = function (xmlData) {
           //opening tag
           else {
             const childNode = new xmlNode(tagName);
+            if (this.tagsNodeStack.length > this.options.maxNestedTags) {
+              throw new Error("Maximum nested tags exceeded");
+            }
             this.tagsNodeStack.push(currentNode);
 
             if (tagName !== tagExp && attrExpPresent) {
