Skip to content

fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp)#968

Merged
karfau merged 3 commits into
release-0.8.xfrom
fix/cdata-injection-0.8.x
Mar 29, 2026
Merged

fix: XML injection via unsafe CDATA serialization (GHSA-wh4c-j3r5-mjhp)#968
karfau merged 3 commits into
release-0.8.xfrom
fix/cdata-injection-0.8.x

Conversation

@karfau

@karfau karfau commented Mar 29, 2026

Copy link
Copy Markdown
Member

Fixes GHSA-wh4c-j3r5-mjhp — XML injection via unsafe CDATA serialization.

Fixed

  • Security: createCDATASection now throws InvalidCharacterError when data contains "]]>", as required by the WHATWG DOM spec. GHSA-wh4c-j3r5-mjhp
  • Security: XMLSerializer now splits CDATASection nodes whose data contains "]]>" into adjacent CDATA sections at serialization time, preventing XML injection via mutation methods (appendData, replaceData, .data =, .textContent =). GHSA-wh4c-j3r5-mjhp

Code that passes a string containing "]]>" to createCDATASection and relied on the previously unsafe behavior will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need "]]>" in a CDATASection node's data.

karfau added 3 commits March 29, 2026 19:46
…ains ']]>'

Backport of the Phase 1a fix to release-0.8.x. Adapts to 0.8.x code style:
bare INVALID_CHARACTER_ERR constant and prose @throws JSDoc style.

Refs: GHSA-wh4c-j3r5-mjhp
Backport of the Phase 1b fix to release-0.8.x. Uses string literals
('<![CDATA[', ']]>') instead of the g.CDATA_START/END constants from main.
Mutation-vector tests (appendData, replaceData, .data =, .textContent =)
added to test/dom/serializer.test.js.

Refs: GHSA-wh4c-j3r5-mjhp
@karfau karfau added this to the 0.8.12 milestone Mar 29, 2026
@karfau karfau merged commit ed08df7 into release-0.8.x Mar 29, 2026
21 checks passed
@karfau karfau deleted the fix/cdata-injection-0.8.x branch March 29, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant