check for entitiy expansion for lastEntities and html entities too

amitguptagwl · amitguptagwl · commit bd26122c838e · 2026-03-16T16:43:17.000+05:30
diff --git a/spec/html_spec.js b/spec/html_spec.js
@@ -79,4 +79,23 @@ describe("XMLParser", function () {
     output = output.replace('₹', '&inr;');
     expect(output.replace(/\s+/g, "")).toEqual(html.replace(/\s+/g, ""));
   });
+
+  it("should throw error for html entities", function () {
+    const entity = '&#65;'.repeat(30);
+    const xmlData = `<root>${entity}</root>`;
+
+    const options = {
+      htmlEntities: true,
+      processEntities: {
+        enabled: true,
+        maxTotalExpansions: 20,
+      }
+    };
+    const parser = new XMLParser(options);
+
+    expect(function () {
+      const result = parser.parse(xmlData);
+      console.log(JSON.stringify(result, null, 4));
+    }).toThrowError(/Entity expansion limit exceeded: 30 > 20/);
+  });
 });
diff --git a/src/xmlparser/OrderedObjParser.js b/src/xmlparser/OrderedObjParser.js
@@ -621,7 +621,7 @@ function replaceEntitiesValue(val, tagName, jPath) {
   }
 
   // Replace DOCTYPE entities
-  for (let entityName in this.docTypeEntities) {
+  for (const entityName of Object.keys(this.docTypeEntities)) {
     const entity = this.docTypeEntities[entityName];
     const matches = val.match(entity.regx);
 
@@ -653,19 +653,38 @@ function replaceEntitiesValue(val, tagName, jPath) {
       }
     }
   }
-  if (val.indexOf('&') === -1) return val;  // Early exit
-
   // Replace standard entities
-  for (let entityName in this.lastEntities) {
+  for (const entityName of Object.keys(this.lastEntities)) {
     const entity = this.lastEntities[entityName];
+    const matches = val.match(entity.regex);
+    if (matches) {
+      this.entityExpansionCount += matches.length;
+      if (entityConfig.maxTotalExpansions &&
+        this.entityExpansionCount > entityConfig.maxTotalExpansions) {
+        throw new Error(
+          `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}`
+        );
+      }
+    }
     val = val.replace(entity.regex, entity.val);
   }
-  if (val.indexOf('&') === -1) return val;  // Early exit
+  if (val.indexOf('&') === -1) return val;
 
   // Replace HTML entities if enabled
   if (this.options.htmlEntities) {
-    for (let entityName in this.htmlEntities) {
+    for (const entityName of Object.keys(this.htmlEntities)) {
       const entity = this.htmlEntities[entityName];
+      const matches = val.match(entity.regex);
+      if (matches) {
+        //console.log(matches);
+        this.entityExpansionCount += matches.length;
+        if (entityConfig.maxTotalExpansions &&
+          this.entityExpansionCount > entityConfig.maxTotalExpansions) {
+          throw new Error(
+            `Entity expansion limit exceeded: ${this.entityExpansionCount} > ${entityConfig.maxTotalExpansions}`
+          );
+        }
+      }
       val = val.replace(entity.regex, entity.val);
     }
   }
