-
Notifications
You must be signed in to change notification settings - Fork 100
Permalink
Choose a base ref
{{ refName }}
default
Choose a head ref
{{ refName }}
default
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
base repository: xmldom/xmldom
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 0.8.11
Could not load branches
Nothing to show
Loading
Could not load tags
Nothing to show
{{ refName }}
default
Loading
...
head repository: xmldom/xmldom
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 0.8.12
Could not load branches
Nothing to show
Loading
Could not load tags
Nothing to show
{{ refName }}
default
Loading
- 9 commits
- 14 files changed
- 3 contributors
Commits on Aug 17, 2025
-
Configuration menu - View commit details
-
Copy full SHA for cbf44d9 - Browse repository at this point
Copy the full SHA cbf44d9View commit details -
chore: add .nvmrc pointing to node version 18
to use for releasing new versions
Configuration menu - View commit details
-
Copy full SHA for cece752 - Browse repository at this point
Copy the full SHA cece752View commit details
Commits on Mar 7, 2026
-
fix: preserve trailing whitespace in ProcessingInstruction data (#962)
**Target branch**: `release-0.8.x` ### What Remove `\s*` from the `parseInstruction` regex in `lib/sax.js` so that trailing whitespace inside a processing instruction is preserved instead of silently stripped. ### Why Per [XML spec §2.6](https://www.w3.org/TR/xml/#sec-pi), PI data is everything between the mandatory separator whitespace after the target and the closing `?>`. Trailing whitespace inside the PI boundary is content — there is no rule to strip it. Conforming parsers (sax-js, libexpat) preserve it. This was already fixed on `master`/`0.9.x` as a side-effect of the large DOCTYPE rewrite in PR #498 (22k lines). This PR is the minimal, non-breaking backport for the maintained `0.8.x` line. ### How `parseInstruction` builds a substring that already excludes `?>`, so `$` anchors immediately before it. The `\s*` before `$` was greedily consuming any trailing whitespace from PI data before passing it to `domBuilder.processingInstruction`. Removing it — while keeping `*?` on the data group to minimise diff — is the complete fix. ```js // before source.substring(start, end).match(/^<\?(\S*)\s*([\s\S]*?)\s*$/) // after source.substring(start, end).match(/^<\?(\S*)\s*([\s\S]*?)$/) ``` Five existing snapshots in `test/xmltest/__snapshots__/not-wf.test.js.snap` were updated: they captured the old buggy behaviour (trailing space stripped from XML-declaration-like PIs in the not-well-formed corpus). The updated snapshots reflect the now-correct output. ### Scope Addresses the trailing-whitespace sub-issue from #42, backporting #498 behaviour to 0.8.x.
Configuration menu - View commit details
-
Copy full SHA for ac40424 - Browse repository at this point
Copy the full SHA ac40424View commit details
Commits on Mar 23, 2026
-
chore: add local CI script and format:check script
Add `.github/workflows/ci-local.sh` for running the full CI suite locally before pushing. Exports `CI=true`, validates the active Node version against `.nvmrc`, and runs the same steps as GitHub Actions. Also adds the `format:check` npm script used by the CI script.
Configuration menu - View commit details
-
Copy full SHA for 968c893 - Browse repository at this point
Copy the full SHA 968c893View commit details -
Configuration menu - View commit details
-
Copy full SHA for ac0ac77 - Browse repository at this point
Copy the full SHA ac0ac77View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4e37a20 - Browse repository at this point
Copy the full SHA 4e37a20View commit details -
Configuration menu - View commit details
-
Copy full SHA for a5b929b - Browse repository at this point
Copy the full SHA a5b929bView commit details
Commits on Mar 29, 2026
-
fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp)…
… (#968) Fixes GHSA-wh4c-j3r5-mjhp — XML injection via unsafe CDATA serialization. ### Fixed - Security: `createCDATASection` now throws `InvalidCharacterError` when `data` contains `"]]>"`, as required by the [WHATWG DOM spec](https://dom.spec.whatwg.org/#dom-document-createcdatasection). [`GHSA-wh4c-j3r5-mjhp`](GHSA-wh4c-j3r5-mjhp) - Security: `XMLSerializer` now splits CDATASection nodes whose data contains `"]]>"` into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (`appendData`, `replaceData`, `.data =`, `.textContent =`). [`GHSA-wh4c-j3r5-mjhp`](GHSA-wh4c-j3r5-mjhp) Code that passes a string containing `"]]>"` to `createCDATASection` and relied on the previously unsafe behavior will now receive `InvalidCharacterError`. Use a mutation method such as `appendData` if you intentionally need `"]]>"` in a CDATASection node's data.
Configuration menu - View commit details
-
Copy full SHA for ed08df7 - Browse repository at this point
Copy the full SHA ed08df7View commit details -
Configuration menu - View commit details
-
Copy full SHA for 189cb78 - Browse repository at this point
Copy the full SHA 189cb78View commit details
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 0.8.11...0.8.12