fiznool / body-parser-xml Goto Github PK
View Code? Open in Web Editor NEWXML parser middleware for express.js.
License: MIT License
XML parser middleware for express.js.
License: MIT License
With latest versions of express, body-parser
is integrated in the express itself and provides the same middleware (Docs: https://expressjs.com/en/api.html#express.json). It would be good to use Express middleware directly for xml as well, instead of body-parser.
Example:
const express = require('express');
require('body-parser-xml')(express);
const app = express();
app.use(express.xml());
as described in this issue, I import lib as follows:
import bodyParser from "body-parser";
import bodyParserXml from "body-parser-xml";
However, then I get
(node:98360) UnhandledPromiseRejectionWarning: TypeError: body_parser_xml_1.default is not a function
Usage with require
works well, but is not wanted by Eslint.
Do you have suggestion how to fix this?
Hi,
I was trying to open a PR but i have trouble with permissions.
In some cases xml2js.Parser parseString() can throw an error after execute the callback.
This leads to the emission of a node 'uncaughtException' in the express application.
Following lines (index.js 32-40)
parser.parseString(req.body, function(err, xml) {
if(err) {
err.status = 400;
return next(err);
}
req.body = xml || req.body;
next();
});
Should be wrapped
try {
parser.parseString(req.body, function(err, xml) {
if(err) {
err.status = 400;
return next(err);
}
req.body = xml || req.body;
next();
});
} catch (err) {
// in some cases xml2js.Parser parseString() can
// throw an error after execute the callback
// see it source code for more details
}
This module uses bodyparser.text()
to parse body as text and passes options
object to configure it.
As you can see here, bodyparser accepts options.type
options as function, which allows user to control type matching precisely.
Unfortunately, in body-parser-xml there is a line where it check if passed options.type
is not an array and convert it into array thus breaking default bodyparser.text()'s ability to use user's function, because that function checks if passed 'type' option is a function
How it should go with es6 import?
Hi Could you update your dev dependencies, as they are out of date. This is a great module and I would hate for it to break down! Thanks!
๐ Hello, @fiznool - a potential high severity Prototype Pollution vulnerability in your repository has been disclosed to us.
1๏ธโฃ Visit https://huntr.dev/bounties/1-other-fiznool/body-parser-xml for more advisory information.
2๏ธโฃ Sign-up to validate or speak to the researcher for more assistance.
3๏ธโฃ Propose a patch or outsource it to our community - whoever fixes it gets paid.
Join us on our Discord and a member of our team will be happy to help! ๐ค
Speak to a member of our team: @JamieSlome
This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.
[email protected] was found to have a regression, per this issue: Leonidas-from-XIV/node-xml2js#677
It was resolved in 0.6.0. Is it possible to update the xml2js dependency to "^0.6.0"?
npm audit is informing me of this vulnerability:
xml2js <=0.4.23
Severity: high
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
body-parser-xml *
Depends on vulnerable versions of xml2js
node_modules/body-parser-xml
xml2js released 0.5.0 version with this fix, please update the dependency.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.