Update dependency xmldom to v0.5.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
xmldom	0.4.0 -> 0.5.0

GitHub Vulnerability Alerts

CVE-2021-21366

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

• https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

• Open an issue in xmldom/xmldom
• Email us: send an email to all addresses that are shown by npm owner ls xmldom

---

Release Notes

xmldom/xmldom (xmldom)

v0.5.0

Compare Source

Commits

Fixes

• Avoid misinterpretation of malicious XML input - GHSA-h6q6-9hqw-rwfv (CVE-2021-21366)

  • Improve error reporting; throw on duplicate attribute
    BREAKING CHANGE: It is currently not clear how to consistently deal with duplicate attributes, so it's also safer for our users to fail when detecting them.
    It's possible to configure the DOMParser.errorHandler before parsing, to handle those errors differently.

    To accomplish this and also be able to verify it in tests I needed to

    • create a new Error type ParseError and export it
    • Throw ParseError from errorHandler.fatalError and prevent those from being caught in XMLReader.
    • export DOMHandler constructor as __DOMHandler

  • Preserve quotes in DOCTYPE declaration
    Since the only purpose of parsing the DOCTYPE is to be able to restore it when serializing, we decided that it would be best to leave the parsed publicId and systemId as is, including any quotes.
    BREAKING CHANGE: If somebody relies on the actual unquoted values of those ids, they will need to take care of either single or double quotes and the right escaping.
    (Without this change this would not have been possible because the SAX parser already dropped the information about the quotes that have been used in the source.)

    https://www.w3.org/TR/2006/REC-xml11-20060816/#dtd
    https://www.w3.org/TR/2006/REC-xml11-20060816/#IDAX1KS (External Entity Declaration)

• Fix breaking preprocessors' directives when parsing attributes #171

• fix(dom): Escape ]]> when serializing CharData #181

• Switch to (only) MIT license (drop problematic LGPL license option) #178

• Export DOMException; remove custom assertions; etc. #174

Docs

• Update MDN links in readme.md #188

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.