Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: add comprehensive security validation and documentation to sitemap-xml #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

feat: add comprehensive security validation and documentation to sitemap-xml #457

merged 1 commit into from
Oct 13, 2025

Conversation

@derduher
Copy link
Collaborator

Summary

This PR enhances the security and code quality of lib/sitemap-xml.ts through comprehensive validation, improved XML entity escaping, and detailed documentation.

Security Improvements

πŸ”’ Enhanced XML Entity Escaping

  • Added > character escaping (>) to text() function for defense-in-depth
  • Prevents CDATA injection and ensures complete XML safety
  • Text content: now escapes &, <, >
  • Attribute values: escape &, <, >, ", '

πŸ›‘οΈ Attribute Name Validation

  • New validateAttributeName() function prevents injection via malformed attribute names
  • Validates against XML spec (alphanumeric, hyphens, underscores, colons, periods)
  • New error class: InvalidXMLAttributeNameError
  • Throws on attribute names with invalid characters (e.g., <script>)

πŸ” Type Safety

  • Added runtime type validation to all functions (text, otag, ctag, element)
  • Functions throw TypeError for non-string inputs
  • Descriptive error messages for debugging

Code Quality Improvements

πŸ“š Comprehensive Documentation

  • Added detailed JSDoc comments to all exported functions
  • Documented security model and escaping rationale
  • Explained Unicode regex with references to XML 1.0 spec
  • Added usage examples for all functions

βœ… Test Coverage

  • Expanded tests from 70 to 88 test cases (+25%)
  • Achieved 100% code coverage for sitemap-xml.ts
  • Added security-focused tests for XML injection attempts
  • Added tests for attribute name validation
  • Added tests for type validation edge cases

Breaking Changes

These are defensive breaking changes that improve security:

  1. otag() throws InvalidXMLAttributeNameError for invalid attribute names
  2. All functions throw TypeError for non-string inputs
  3. Text content now escapes > character (outputs &gt;)

⚠️ Impact: These changes only affect code passing malformed data, catching bugs early rather than generating invalid XML.

Test Results

  • βœ… All 325 tests passing
  • βœ… 100% code coverage for sitemap-xml.ts (Statements: 100%, Branches: 100%, Functions: 100%, Lines: 100%)
  • βœ… Overall project coverage: 90.7% statements, 84.85% branches, 94.08% functions
  • βœ… XML schema validation passes
  • βœ… Lint and TypeScript compilation successful (ESM + CJS)

Files Changed

  • lib/sitemap-xml.ts - Complete rewrite with security enhancements and documentation
  • lib/errors.ts - Added InvalidXMLAttributeNameError class
  • tests/sitemap-xml.test.ts - Comprehensive test suite expansion
  • tests/mocks/generator.ts - Updated test fixtures for new escaping
  • tests/sitemap-item-stream.test.ts - Updated one attribute escape sequence

Related Issues

Addresses security audit requirements for XML generation code.

πŸ€– Generated with Claude Code

@derduher @claude
feat: add comprehensive security validation and documentation to site…
aef75ce 
…map-xml

## Security Improvements

### Enhanced XML Entity Escaping
- Added `>` character escaping (&gt;) to text() function for defense-in-depth
- Prevents CDATA injection and ensures complete XML safety
- Text content now escapes: &, <, >
- Attribute values escape: &, <, >, ", '

### Attribute Name Validation
- Added validateAttributeName() to prevent injection via malformed attribute names
- Validates against XML spec (alphanumeric, hyphens, underscores, colons, periods)
- New error class: InvalidXMLAttributeNameError
- Throws on attribute names with invalid characters (e.g., <script>)

### Type Safety
- Added runtime type validation to all functions (text, otag, ctag, element)
- Functions throw TypeError for non-string inputs
- Descriptive error messages for debugging

## Code Quality Improvements

### Comprehensive Documentation
- Added detailed JSDoc comments to all exported functions
- Documented security model and escaping rationale
- Explained Unicode regex with references to XML 1.0 spec
- Added usage examples for all functions

### Test Coverage
- Expanded tests from 70 to 88 test cases
- Achieved 100% code coverage for sitemap-xml.ts
- Added security-focused tests for XML injection attempts
- Added tests for attribute name validation
- Added tests for type validation edge cases

## Breaking Changes

These are defensive breaking changes that improve security:

1. otag() throws InvalidXMLAttributeNameError for invalid attribute names
2. All functions throw TypeError for non-string inputs
3. Text content now escapes > character (outputs &gt;)

These changes only affect code passing malformed data, catching bugs early
rather than generating invalid XML.

## Test Results

- All 325 tests passing
- 100% code coverage for sitemap-xml.ts
- XML schema validation passes
- Lint and TypeScript compilation successful

πŸ€– Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@derduher derduher merged commit 4432d3c into master Oct 13, 2025
6 checks passed
@derduher derduher deleted the security/sitemap-xml-audit-improvements branch October 13, 2025 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@derduher