![[fast-xml-parser] fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names](/assets/images/github_com_1771632192420.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 12
[fast-xml-parser] fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
By GitHub2026๋
2์ 21์ผ
**[fast-xml-parser] fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names**
Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. Details The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec. In DocTypeReader.js, entity names are passed directly to RegExp(): entities[entityName] = { regx: RegExp(`&${entityName};`, "g"), val: val }; An entity named l...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Entity encoding bypass via regex injection in DOCTYPE entity names Summary A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. Details The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec. In DocTypeReader.js, entity names are passed directly to RegExp(): entities[entityName] = { regx: RegExp(`&${entityName};`, "g"), val: val }; An entity named l...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.