Comments (7)
SmartLayer
commented on June 14, 2024
2
Looks like the problem is in
xmldommodule
xmldom/xmldom#22
You are right on this, but xmldom closed that bug without resolving it. I refiled it as xmldom/xmldom#203
from xmldsigjs.
micwallace
commented on June 14, 2024
1
This fix is now in pre-release @xmldom/xmldom@^0.9.0-beta.6
from xmldsigjs.
SmartLayer
commented on June 14, 2024
This is more mysterious than I thought! If I change the test XML into this:
<x:html xmlns:x="http://www.w3.org/1999/xhtml" xml:lang="en"><x:body><x:script type="text/javascript">
let message = " & ETH";</x:script></x:body></x:html>
That is, take the XML that can reproduce this bug, which has xmlns, replace it with x:xmlns and prefix every element with x:, then the canonicalization result is correct!
<x:html xmlns:x="http://www.w3.org/1999/xhtml" xml:lang="en"><x:body><x:script type="text/javascript">
let message = " & ETH";</x:script></x:body></x:html>
I feel this is the kind of bug that takes a few miutes to make or correct yet a few hours to find out! Spent quite a few hours to strip down complicated XML files to produce a demonstration.
from xmldsigjs.
SmartLayer
commented on June 14, 2024
Is there any way we can address this issue? This issue really look like a problem related to hardcoding certain rules when the default xmlns points to XHTML. Observe that if you change
<html xmlns="http://www.w3.org/1999/xhtml"
to
<html xmlns="http://www.w3.org/1999/xhtm"
(deleted one letter l)
Then the canonicalised output becomes correct.
It seems that the following rules are at work in either this project or some of the dependent libraries:
- Normally,
&in the text node denotes the beginning of an entity; - But, if the current node containing the text node is in XHTML namespace, rule that
&denotes the literal&(against XHTML); - But, in rule 2, if the current node containing the text node is in XHTML namespace through the use of a prefix (not through the default
xmlns), then rule 2 doesn't apply and the document is treated as a normal XML file (where&denotes the begining of an entity.
from xmldsigjs.
rmhrisk
commented on June 14, 2024
We can look at it but @microshine is tied up with other work at the moment. We will get back to your issue when thatβs done.
from xmldsigjs.
microshine
commented on June 14, 2024
Looks like the problem is in xmldom module
xmldom/xmldom#22
from xmldsigjs.
SmartLayer
commented on June 14, 2024
I'm closing this for now since I expect this issue to disappear if xmldom/xmldom#203 is solved.
from xmldsigjs.
Related Issues (20)
- How Can I verify a file with a External Certificate file (.cer) HOT 2
- XML error HOT 1
- XmlDsigEnvelopedSignatureTransform shouldn't remove all found Signatures HOT 3
- Uncaught ReferenceError: regeneratorRuntime is not defined - non-functional in browser HOT 3
- problems compiling with typescript HOT 5
- One <Transform> and c14n HOT 10
- Namespace prefix on root creates invalid signatures HOT 7
- Signature\KeyInfo\KeyName support
- How to verify when the signature is in a different file than the content? HOT 14
- Support for multiple content references to external files HOT 3
- How to set CanonicalizationMethod or default ? HOT 2
- Cannot apply transform to SignedProperties
- Cannot `Verify` signature with transforms applied HOT 5
- How to setEngine for OpenSSL without node-webcrypto-ossl
- Update dependencies HOT 1
- Need to update dependencies
- modify default reference HOT 1
- Question about ApplyTransformers
- Example for Enveloping signature
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xmldsigjs.