Normalize xpath for json escaping (#2809)

* feat(core): add XML to JSON normalization utility and support NodeList conversion

- Introduced `NormalizeXMLForJsonUtil` to normalize XML structures (e.g., `NodeList`) into JSON-compatible formats.
- Enhanced `toJSON` method in `CommonBuiltInFunctions` to use the new utility for handling `NodeList` inputs.
- Updated tests to verify XML to JSON normalization (`NormalizeXMLForJsonUtilTest`).
- Refactored transformation tutorials to simplify and align with updated JSON handling.

* refactor(core): switch to enhanced `switch` syntax in `NormalizeXMLForJsonUtil`

- Updated `normalizeForJson` method to use Java's modern `switch` expression for improved readability and maintainability.

* feat(core): enhance XML to JSON normalization with improved Node and NodeList handling

- Updated `toJSON` to support `Node` normalization alongside `NodeList`.
- Refined `normalizeForJson` to handle empty `NodeList` as empty JSON arrays and return `null` for empty nodes.
- Improved test coverage for edge cases, including empty nodes and missing XPath results.

* fix(core): handle null Node values in `normalizeForJson` and improve test coverage

- Updated `normalizeForJson` to account for null `Node` values gracefully.
- Enhanced test cases with additional validations for XPath evaluation and Jackson round-trips.
- Replaced deprecated assertions with `assertInstanceOf` for improved clarity.

* test(core): replace deprecated assertions in `CommonBuiltInFunctionsTest`

- Updated test cases to use `assertInstanceOf` instead of `instanceof` checks for improved clarity.

* test(core): replace deprecated `assertInstanceOf` with `assertTrue` in `NormalizeXMLForJsonUtilTest`

- Updated test cases to use `assertTrue` for type checks instead of `assertInstanceOf`.

Author: predic8

core/src/main/java/com/predic8/membrane/core/lang/CommonBuiltInFunctions.java

@@ -28,6 +28,7 @@
 import org.jetbrains.annotations.*;
 import org.slf4j.*;
 import org.slf4j.Logger;
+import org.w3c.dom.*;
 
 import javax.xml.namespace.*;
 import javax.xml.xpath.*;
@@ -38,6 +39,7 @@
 
 import static com.predic8.membrane.core.exchange.Exchange.*;
 import static com.predic8.membrane.core.http.Header.*;
+import static com.predic8.membrane.core.util.xml.NormalizeXMLForJsonUtil.normalizeForJson;
 import static java.lang.System.*;
 import static java.nio.charset.StandardCharsets.*;
 import static java.util.Collections.*;
@@ -65,6 +67,9 @@ public static Object jsonPath(String jsonPath, Message msg) {
 
     public static String toJSON(Object o) {
         try {
+            if (o instanceof NodeList || o instanceof Node) {
+                o = normalizeForJson(o);
+            }
             return objectMapper.writeValueAsString(o);
         } catch (Exception e) {
             log.info("Failed to convert object to JSON", e);

core/src/main/java/com/predic8/membrane/core/lang/ScriptingUtils.java

@@ -113,7 +113,7 @@ public static Map<String, Object> createParameterBindings(Router router, Exchang
         params.put("pathParam", new PathParametersMap(exc));
 
         // "fn" is the special key used to set the Groovy Binding.
-        // The Groovy Binding is allows function invocation in Groovy scripts with ${functionname()} .
+        // The Groovy Binding allows function invocation in Groovy scripts with ${functionname()} .
         params.put(BINDING, new GroovyBuiltInFunctions(exc, flow, router, params) {
             @Override
             public Object escape(Object o) {

core/src/main/java/com/predic8/membrane/core/util/xml/NormalizeXMLForJsonUtil.java

@@ -0,0 +1,115 @@
+/* Copyright 2026 predic8 GmbH, www.predic8.com
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License. */
+
+package com.predic8.membrane.core.util.xml;
+
+import com.fasterxml.jackson.databind.*;
+import org.w3c.dom.*;
+
+import java.util.*;
+
+import static org.w3c.dom.Node.*;
+
+/**
+ * Utility class to normalize XML structures for JSON compatibility.
+ * The class provides methods to convert XML-based objects, such as
+ * Node and NodeList, into JSON-friendly structures.
+ * <p>
+ * This involves processing XML nodes and attributes, and representing
+ * them as JSON-compatible maps, arrays, and primitive types.
+ * <p>
+ * This class is stateless and thread-safe, and it cannot be instantiated.
+ */
+public class NormalizeXMLForJsonUtil {
+
+    private static final ObjectMapper om = new ObjectMapper();
+
+    private NormalizeXMLForJsonUtil() {
+    }
+
+    /**
+     * Normalizes an input object for JSON serialization. The method converts
+     * objects such as {@link NodeList} or {@link Node} to JSON-compatible objects.
+     * <p/>
+     * NodeList with one item is not converted to an array!
+     * <p/>
+     *
+     * @param o the XML input object to normalize, which could be a {@link NodeList},
+     *          a single {@link Node}, or any other object
+     * `@return` a JSON-compatible object. If the input is a {`@link` NodeList}, it converts
+     * to a list of normalized node values (or a single unwrapped value for single-item lists).
+     * If it is a single {`@link` Node}, it converts to its normalized value.
+     * For other objects, they are returned as-is.
+     */
+    public static Object normalizeForJson(Object o) {
+        switch (o) {
+            case null -> {
+                return null;
+            }
+
+            // XPath often returns NodeList (e.g. DTMNodeList). Convert to JSON-friendly structure.
+            case NodeList nl -> {
+                var arr = new ArrayList<>(nl.getLength());
+                for (int i = 0; i < nl.getLength(); i++) {
+                    arr.add(nodeToJsonValue(nl.item(i)));
+                }
+                if (arr.size() == 1) {
+                    return arr.getFirst();
+                }
+                return arr;
+            }
+            case Node n -> {
+                return nodeToJsonValue(n);
+            }
+            default -> {
+            }
+        }
+
+        return o;
+    }
+
+    private static Object nodeToJsonValue(Node n) {
+        if (n == null) return null;
+
+        var value = switch (n.getNodeType()) {
+            case ELEMENT_NODE -> elementToJsonValue(n);
+            case ATTRIBUTE_NODE, TEXT_NODE, CDATA_SECTION_NODE -> n.getNodeValue() != null ? n.getNodeValue().trim() : "";
+            default -> n.getTextContent();
+        };
+        var number = parseJsonNumber(value);
+        if (number != null)
+            return number;
+        return value;
+    }
+
+    private static Object elementToJsonValue(Node element) {
+        var text = element.getTextContent();
+        if (text != null) {
+            return text.trim();
+        }
+        return "";
+    }
+
+    private static Number parseJsonNumber(Object o) {
+        if (!(o instanceof String s)) return null;
+        try {
+            var n = om.readTree(s);
+            if (n == null || !n.isNumber())
+                return null;
+            return n.numberValue();   // returns Integer, Long, Double, BigDecimal, etc.
+        } catch (Exception e) {
+            return null;
+        }
+    }
+}

core/src/test/java/com/predic8/membrane/core/lang/CommonBuiltInFunctionsTest.java

@@ -20,20 +20,21 @@
 import com.predic8.membrane.core.security.*;
 import org.junit.jupiter.api.*;
 import org.w3c.dom.*;
-import org.xml.sax.InputSource;
+import org.xml.sax.*;
 
 import javax.xml.parsers.*;
-import java.net.*;
+import javax.xml.xpath.*;
 import java.io.*;
+import java.net.*;
 import java.util.*;
 
 import static com.predic8.membrane.core.exchange.Exchange.*;
 import static com.predic8.membrane.core.http.Header.*;
 import static com.predic8.membrane.core.http.Request.*;
 import static com.predic8.membrane.core.lang.CommonBuiltInFunctions.*;
 import static com.predic8.membrane.core.security.ApiKeySecurityScheme.In.*;
-import static javax.xml.xpath.XPathConstants.*;
 import static java.util.List.*;
+import static javax.xml.xpath.XPathConstants.*;
 import static org.junit.jupiter.api.Assertions.*;
 
 class CommonBuiltInFunctionsTest {
@@ -98,12 +99,12 @@ void xpathEvaluatesAgainstContextWithReturnTypeInference() throws Exception {
                 """);
 
         Object nodes = xpath("//fruit", document, null);
-        assertTrue(nodes instanceof NodeList);
+        assertInstanceOf(NodeList.class, nodes);
         assertEquals(2, ((NodeList) nodes).getLength());
 
-        Node firstFruit = ((NodeList) nodes).item(0);
+        var firstFruit = ((NodeList) nodes).item(0);
         Object nameNode = xpath("./name", firstFruit, null);
-        assertTrue(nameNode instanceof Node);
+        assertInstanceOf(Node.class, nameNode);
         assertEquals("name", ((Node) nameNode).getNodeName());
 
         assertEquals("Apricot", xpath("string(./name)", firstFruit, null));
@@ -231,7 +232,7 @@ void integer() {
             assertEquals("1", toJSON(1));
         }
 
-                @Test
+        @Test
         void bool() {
             assertEquals("true", toJSON(true));
         }

core/src/test/java/com/predic8/membrane/core/util/xml/NormalizeXMLForJsonUtilTest.java

@@ -0,0 +1,165 @@
+package com.predic8.membrane.core.util.xml;
+
+import com.fasterxml.jackson.databind.*;
+import org.junit.jupiter.api.*;
+import org.w3c.dom.*;
+
+import javax.xml.parsers.*;
+import javax.xml.xpath.*;
+import java.io.*;
+import java.util.*;
+
+import static com.predic8.membrane.core.util.xml.NormalizeXMLForJsonUtil.*;
+import static java.nio.charset.StandardCharsets.*;
+import static java.util.Collections.emptyList;
+import static javax.xml.xpath.XPathConstants.*;
+import static org.junit.jupiter.api.Assertions.*;
+
+class NormalizeXMLForJsonUtilTest {
+
+    private static final ObjectMapper om = new ObjectMapper();
+
+    private static Object evaluateXPath(Document doc, String xpath) throws XPathExpressionException {
+        return XPathFactory.newInstance()
+                .newXPath()
+                .evaluate(xpath, doc, NODESET);
+    }
+
+    @Nested
+    class normalizeForJson_ {
+
+        @Test
+        void nullValue() {
+            assertNull(normalizeForJson(null));
+        }
+
+        @Test
+        void passthrough_nonXmlObject() {
+            Object o = "foo";
+            assertSame(o, normalizeForJson(o));
+        }
+
+        @Test
+        void nodeList_withTwoElements_becomesList() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>1</a>
+                      <a>2</a>
+                    </root>
+                    """);
+
+            var norm = normalizeForJson(evaluateXPath(doc, "/root/a"));
+
+            assertTrue(norm instanceof List<?>);
+            List<?> list = (List<?>) norm;
+
+            assertEquals(2, list.size());
+            assertEquals(1, list.get(0)); // integer
+            assertEquals(2, list.get(1)); // integer
+        }
+
+        @Test
+        void nodeList_withSingleElement_isUnwrapped() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>1</a>
+                    </root>
+                    """);
+
+            var norm = normalizeForJson(evaluateXPath(doc, "/root/a"));
+
+            assertInstanceOf(Number.class, norm);
+            assertEquals(1, ((Number) norm).intValue());
+        }
+
+        @Test
+        void singleNode_number_isParsed() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>1.0</a>
+                    </root>
+                    """);
+
+            var node = XPathFactory.newInstance()
+                    .newXPath()
+                    .evaluate("/root/a", doc, NODE);
+
+            var norm = normalizeForJson(node);
+
+            assertInstanceOf(Number.class, norm);
+            // numberValue() may yield Double for 1.0
+            assertEquals(1.0d, ((Number) norm).doubleValue(), 0.0d);
+        }
+
+        @Test
+        void singleNode_nonNumber_isTrimmedString() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>
+                        foo
+                      </a>
+                    </root>
+                    """);
+
+            var node = XPathFactory.newInstance()
+                    .newXPath()
+                    .evaluate("/root/a", doc, NODE);
+
+            assertEquals("foo", normalizeForJson(node));
+        }
+
+        @Test
+        void nodeList_nonNumber_values_areStrings() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>foo</a>
+                      <a>bar</a>
+                    </root>
+                    """);
+
+            var norm = normalizeForJson(evaluateXPath(doc, "/root/a"));
+
+            assertTrue(norm instanceof List<?>);
+            List<?> list = (List<?>) norm;
+
+            assertEquals(List.of("foo", "bar"), list);
+        }
+
+        @Test
+        void normalizedValue_isJsonSerializable() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a>1</a>
+                      <a>2.5</a>
+                      <a>foo</a>
+                    </root>
+                    """);
+
+            var norm = normalizeForJson(evaluateXPath(doc, "/root/a"));
+
+            var roundTrip = om.readValue(om.writeValueAsString(norm), Object.class);
+            assertTrue(roundTrip instanceof List<?>);
+            assertEquals(3, ((List<?>) roundTrip).size());
+        }
+
+        @Test
+        void emptyNodeList_isJsonSerializable() throws Exception {
+            var doc = parseXml("""
+                    <root>
+                      <a></a>
+                    </root>
+                    """);
+            var norm = normalizeForJson(evaluateXPath(doc, "/root/notThere"));
+            assertEquals(emptyList(), norm);
+            // verify it survives a Jackson round-trip
+            var roundTrip = om.readValue(om.writeValueAsString(norm), Object.class);
+            assertEquals(emptyList(), roundTrip);
+        }
+
+        private Document parseXml(String xml) throws Exception {
+            var dbf = DocumentBuilderFactory.newInstance();
+            dbf.setNamespaceAware(true);
+            return dbf.newDocumentBuilder().parse(new ByteArrayInputStream(xml.getBytes(UTF_8)));
+        }
+    }
+}

distribution/tutorials/transformation/40-REST-GET-to-SOAP.yaml

@@ -26,13 +26,12 @@ api:
             name: SOAPAction
             value: https://predic8.de/cities/get
     - response:
-        - setBody:
-            language: xpath
+        - template:
             contentType: application/json
-            value: |
+            src: |
               {
-                "country": "${//country}",
-                "population": ${//population}
+                "country": ${xpath('//country')},
+                "population": ${xpath('//population')}
               }
   target:
     # Change method to POST