Gathering detailed insights and metrics for saxes
Gathering detailed insights and metrics for saxes
Gathering detailed insights and metrics for saxes
Gathering detailed insights and metrics for saxes
@rubensworks/saxes
An evented streaming XML parser in JavaScript
ltx
<xml for="JavaScript">
slimdom-sax-parser
Parse an XML string to a light-weight spec-compliant document object model, for browser and Node
@netless/xml-js
A converter between XML text and Javascript object / JSON text.
npm install saxes
Module System
Min. Node Version
Typescript Support
Node Version
NPM Version
75 Stars
1,181 Commits
19 Forks
3 Watching
17 Branches
39 Contributors
Updated on 10 Nov 2024
TypeScript (98.59%)
JavaScript (1.41%)
Cumulative downloads
Total Downloads
Last day
-2.9%
4,846,091
Compared to previous day
Last week
3.9%
26,083,069
Compared to previous week
Last month
21.3%
103,071,704
Compared to previous month
Last year
13.4%
1,014,874,606
Compared to previous year
1
32
A sax-style non-validating parser for XML.
Saxes is a fork of sax 1.2.4. All mentions of sax in this project's documentation are references to sax 1.2.4.
Designed with node in mind, but should work fine in the browser or other CommonJS implementations.
Saxes does not support Node versions older than 10.
Saxes aims to be much stricter than sax with regards to XML well-formedness. Sax, even in its so-called "strict mode", is not strict. It silently accepts structures that are not well-formed XML. Projects that need better compliance with well-formedness constraints cannot use sax as-is.
Consequently, saxes does not support HTML, or pseudo-XML, or bad XML. Saxes will report well-formedness errors in all these cases but it won't try to extract data from malformed documents like sax does.
Saxes is much much faster than sax, mostly because of a substantial redesign of the internal parsing logic. The speed improvement is not merely due to removing features that were supported by sax. That helped a bit, but saxes adds some expensive checks in its aim for conformance with the XML specification. Redesigning the parsing logic is what accounts for most of the performance improvement.
Saxes does not aim to support antiquated platforms. We will not pollute the source or the default build with support for antiquated platforms. If you want support for IE 11, you are welcome to produce a PR that adds a new build transpiled to ES5.
Saxes handles errors differently from sax: it provides a default onerror
handler which throws. You can replace it with your own handler if you want. If
your handler does nothing, there is no resume
method to call.
There's no Stream
API. A revamped API may be introduced later. (It is still
a "streaming parser" in the general sense that you write a character stream to
it.)
Saxes does not have facilities for limiting the size the data chunks passed to event handlers. See the FAQ entry for more details.
Saxes supports:
This is a non-validating parser so it only verifies whether the document is well-formed. We do aim to raise errors for all malformed constructs encountered. However, this parser does not thorougly parse the contents of DTDs. So most malformedness errors caused by errors in DTDs cannot be reported.
<!DOCTYPE
and <!ENTITY
The parser will handle the basic XML entities in text nodes and attribute
values: & < > ' "
. It's possible to define additional
entities in XML by putting them in the DTD. This parser doesn't do anything with
that. If you want to listen to the doctype
event, and then fetch the
doctypes, and read the entities and add them to parser.ENTITIES
, then be my
guest.
The source code contains JSDOC comments. Use them. What follows is a brief summary of what is available. The final authority is the source code.
PAY CLOSE ATTENTION TO WHAT IS PUBLIC AND WHAT IS PRIVATE.
The move to TypeScript makes it so that everything is now formally private, protected, or public.
If you use anything not public, that's at your own peril.
If there's a mistake in the documentation, raise an issue. If you just assume, you may assume incorrectly.
1var saxes = require("./lib/saxes"), 2 parser = new saxes.SaxesParser(); 3 4parser.on("error", function (e) { 5 // an error happened. 6}); 7parser.on("text", function (t) { 8 // got some text. t is the string of text. 9}); 10parser.on("opentag", function (node) { 11 // opened a tag. node has "name" and "attributes" 12}); 13parser.on("end", function () { 14 // parser stream is done, and ready to have more stuff written to it. 15}); 16 17parser.write('<xml>Hello, <who name="world">world</who>!</xml>').close();
Settings supported:
xmlns
- Boolean. If true
, then namespaces are supported. Default
is false
.
position
- Boolean. If false
, then don't track line/col/position. Unset is
treated as true
. Default is unset. Currently, setting this to false
only
results in a cosmetic change: the errors reported do not contain position
information. sax-js would literally turn off the position-computing logic if
this flag was set to false. The notion was that it would optimize
execution. In saxes at least it turns out that continually testing this flag
causes a cost that offsets the benefits of turning off this logic.
fileName
- String. Set a file name for error reporting. This is useful only
when tracking positions. You may leave it unset.
fragment
- Boolean. If true
, parse the XML as an XML fragment. Default is
false
.
additionalNamespaces
- A plain object whose key, value pairs define
namespaces known before parsing the XML file. It is not legal to pass
bindings for the namespaces "xml"
or "xmlns"
.
defaultXMLVersion
- The default version of the XML specification to use if
the document contains no XML declaration. If the document does contain an XML
declaration, then this setting is ignored. Must be "1.0"
or "1.1"
. The
default is "1.0"
.
forceXMLVersion
- Boolean. A flag indicating whether to force the XML
version used for parsing to the value of defaultXMLVersion
. When this flag
is true
, defaultXMLVersion
must be specified. If unspecified, the
default value of this flag is false
.
Example: suppose you are parsing a document that has an XML declaration specifying XML version 1.1.
If you set defaultXMLVersion
to "1.0"
without setting
forceXMLVersion
then the XML declaration will override the value of
defaultXMLVersion
and the document will be parsed according to XML 1.1.
If you set defaultXMLVersion
to "1.0"
and set forceXMLVersion
to
true
, then the XML declaration will be ignored and the document will be
parsed according to XML 1.0.
write
- Write bytes onto the stream. You don't have to pass the whole document
in one write
call. You can read your source chunk by chunk and call write
with each chunk.
close
- Close the stream. Once closed, no more data may be written until it is
done processing the buffer, which is signaled by the end
event.
The parser has the following properties:
line
, column
, columnIndex
, position
- Indications of the position in the
XML document where the parser currently is looking. The columnIndex
property
counts columns as if indexing into a JavaScript string, whereas the column
property counts Unicode characters.
closed
- Boolean indicating whether or not the parser can be written to. If
it's true
, then wait for the ready
event to write again.
opt
- Any options passed into the constructor.
xmlDecl
- The XML declaration for this document. It contains the fields
version
, encoding
and standalone
. They are all undefined
before
encountering the XML declaration. If they are undefined after the XML
declaration, the corresponding value was not set by the declaration. There is no
event associated with the XML declaration. In a well-formed document, the XML
declaration may be preceded only by an optional BOM. So by the time any event
generated by the parser happens, the declaration has been processed if present
at all. Otherwise, you have a malformed document, and as stated above, you
cannot rely on the parser data!
The parser continues to parse even upon encountering errors, and does its best
to continue reporting errors. You should heed all errors reported. After an
error, however, saxes may interpret your document incorrectly. For instance
<foo a=bc="d"/>
is invalid XML. Did you mean to have <foo a="bc=d"/>
or
<foo a="b" c="d"/>
or some other variation? For the sake of continuing to
provide errors, saxes will continue parsing the document, but the structure it
reports may be incorrect. It is only after the errors are fixed in the document
that saxes can provide a reliable interpretation of the document.
That leaves you with two rules of thumb when using saxes:
Pay attention to the errors that saxes report. The default onerror
handler
throws, so by default, you cannot miss errors.
ONCE AN ERROR HAS BEEN ENCOUNTERED, STOP RELYING ON THE EVENT HANDLERS OTHER
THAN onerror
. As explained above, when saxes runs into a well-formedness
problem, it makes a guess in order to continue reporting more errors. The guess
may be wrong.
To listen to an event, override on<eventname>
. The list of supported events
are also in the exported EVENTS
array.
See the JSDOC comments in the source code for a description of each supported event.
The XML specification does not define any method by which to parse XML fragments. However, there are usage scenarios in which it is desirable to parse fragments. In order to allow this, saxes provides three initialization options.
If you pass the option fragment: true
to the parser constructor, the parser
will expect an XML fragment. It essentially starts with a parsing state
equivalent to the one it would be in if parser.write("<foo">)
had been called
right after initialization. In other words, it expects content which is
acceptable inside an element. This also turns off well-formedness checks that
are inappropriate when parsing a fragment.
The option additionalNamespaces
allows you to define additional prefix-to-URI
bindings known before parsing starts. You would use this over resolvePrefix
if
you have at the ready a series of namespaces bindings to use.
The option resolvePrefix
allows you to pass a function which saxes will use if
it is unable to resolve a namespace prefix by itself. You would use this over
additionalNamespaces
in a context where getting a complete list of defined
namespaces is onerous.
Note that you can use additionalNamespaces
and resolvePrefix
together if you
want. additionalNamespaces
applies before resolvePrefix
.
The options additionalNamespaces
and resolvePrefix
are really meant to be
used for parsing fragments. However, saxes won't prevent you from using them
with fragment: false
. Note that if you do this, your document may parse
without errors and yet be malformed because the document can refer to namespaces
which are not defined in the document.
Of course, additionalNamespaces
and resolvePrefix
are used only if xmlns
is true
. If you are parsing a fragment that does not use namespaces, there's
no point in setting these options.
saxes works faster on files that use newlines (\u000A
) as end of line
markers than files that use other end of line markers (like \r
or
\r\n
). The XML specification requires that conformant applications behave
as if all characters that are to be treated as end of line characters are
converted to \u000A
prior to parsing. The optimal code path for saxes is a
file in which all end of line characters are already \u000A
.
Don't split Unicode strings you feed to saxes across surrogates. When you
naively split a string in JavaScript, you run the risk of splitting a Unicode
character into two surrogates. e.g. In the following example a
and b
each contain half of a single Unicode character: const a = "\u{1F4A9}"[0]; const b = "\u{1F4A9}"[1]
If you feed such split surrogates to versions of
saxes prior to 4, you'd get errors. Saxes version 4 and over are able to
detect when a chunk of data ends with a surrogate and carry over the surrogate
to the next chunk. However this operation entails slicing and concatenating
strings. If you can feed your data in a way that does not split surrogates,
you should do it. (Obviously, feeding all the data at once with a single write
is fastest.)
Don't set event handlers you don't need. Saxes has always aimed to avoid doing work that will just be tossed away but future improvements hope to do this more aggressively. One way saxes knows whether or not some data is needed is by checking whether a handler has been set for a specific event.
Q. Why has saxes dropped support for limiting the size of data chunks passed to event handlers?
A. With sax you could set MAX_BUFFER_LENGTH
to cause the parser to limit the
size of data chunks passed to event handlers. So if you ran into a span of text
above the limit, multiple text
events with smaller data chunks were fired
instead of a single event with a large chunk.
However, that functionality had some problematic characteristics. It had an
arbitrary default value. It was library-wide so all parsers created from a
single instance of the sax
library shared it. This could potentially cause
conflicts among libraries running in the same VM but using sax for different
purposes.
These issues could have been easily fixed, but there were larger issues. The
buffer limit arbitrarily applied to some events but not others. It would split
text
, cdata
and script
events. However, if a comment
,
doctype
, attribute
or processing instruction
were more than the
limit, the parser would generate an error and you were left picking up the
pieces.
It was not intuitive to use. You'd think setting the limit to 1K would prevent
chunks bigger than 1K to be passed to event handlers. But that was not the
case. A comment in the source code told you that you might go over the limit if
you passed large chunks to write
. So if you want a 1K limit, don't pass 64K
chunks to write
. Fair enough. You know what limit you want so you can
control the size of the data you pass to write
. So you limit the chunks to
write
to 1K at a time. Even if you do this, your event handlers may get data
chunks that are 2K in size. Suppose on the previous write
the parser has
just finished processing an open tag, so it is ready for text. Your write
passes 1K of text. You are not above the limit yet, so no event is generated
yet. The next write
passes another 1K of text. It so happens that sax checks
buffer limits only once per write
, after the chunk of data has been
processed. Now you've hit the limit and you get a text
event with 2K of
data. So even if you limit your write
calls to the buffer limit you've set,
you may still get events with chunks at twice the buffer size limit you've
specified.
We may consider reinstating an equivalent functionality, provided that it addresses the issues above and does not cause a huge performance drop for use-case scenarios that don't need it.
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
6 existing vulnerabilities detected
Details
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
Reason
0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no SAST tool detected
Details
Reason
Found 0/30 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
Reason
project is not fuzzed
Details
Reason
branch protection not enabled on development/release branches
Details
Score
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More