support strictReservedNames

amitguptagwl · amitguptagwl · commit c3ffbab9e5a2 · 2026-02-25T11:23:17.000+05:30
diff --git a/docs/v4/2.XMLparseOptions.md b/docs/v4/2.XMLparseOptions.md
@@ -11,6 +11,8 @@ const parser = new XMLParser(options);
 let jsonObj = parser.parse(xmlDataStr);
 ```
 
+> ⚠️ Security Note: If accepting untrusted JSON input, sanitize/validate property names before passing to the builder. Reserved property names like your configured commentPropertyName, cdataPropertyName , or attribute name after attributeNamePrefix should be blocked or escaped in untrusted input.
+
 Let's understand each option in detail with necessary examples
 
 ## allowBooleanAttributes
@@ -801,6 +803,7 @@ Output
 }
 ```
 
+
 ## stopNodes
 
 At particular point, if you don't want to parse a tag and it's nested tags then you can set their path in `stopNodes`.
@@ -857,6 +860,34 @@ nested stop notes are also not allowed
     <stop> invalid </stop>
 </stop>
 ```
+## strictReservedNames
+
+By default, FXP will throw an error if it encounters a tag or attribute name that matches a reserved property name set by user or default(e.g., `__comment`, `__cdata`).
+
+Setting `strictReservedNames: false` allows the parser to continue processing even if such names are found, treating them as regular tag or attribute names.
+
+Example:
+```js
+const xmlDataStr = `
+    <root>
+      <__comment>1</__comment>
+    </root>`;  
+
+const options = {
+    commentPropName: "__comment",
+    strictReservedNames: false
+};
+const parser = new XMLParser(options);
+const output = parser.parse(xmlDataStr);
+```
+Output:
+```json
+{
+    "root": {
+        "__comment": 1
+    }
+}
+```
 
 ## tagValueProcessor
 With `tagValueProcessor` you can control how and which tag value should be parsed.
diff --git a/lib/fxp.d.cts b/lib/fxp.d.cts
@@ -285,6 +285,13 @@ type X2jOptions = {
    * Defaults to `100`
    */
   maxNestedTags?: number;
+
+  /**
+   * Whether to strictly validate tag names
+   * 
+   * Defaults to `true`
+   */
+  strictReservedNames?: boolean;
 };
 
 type strnumOptions = {
diff --git a/spec/nfr_spec.js b/spec/nfr_spec.js
@@ -40,4 +40,38 @@ describe("XMLParser", function () {
     const parser = new XMLParser({ maxNestedTags: 101 });
     parser.parse(xmlData);
   });
+
+  it("should throw error for tag name with reserved name", function () {
+    const xmlData = `
+        <root>
+          <__comment>1</__comment>
+        </root>
+        `;
+    const parser = new XMLParser({
+      commentPropName: "__comment"
+    });
+    expect(() => parser.parse(xmlData)).toThrowError("Invalid tag name: __comment");
+  });
+
+
+  it("should not throw error for tag name with reserved name when strictReservedNames is false", function () {
+    const xmlData = `
+        <root>
+          <__comment>1</__comment>
+        </root>
+        `;
+    const parser = new XMLParser({
+      commentPropName: "__comment",
+      strictReservedNames: false
+    });
+    const expected = {
+      "root": {
+        "__comment": 1
+      }
+    }
+    let result = parser.parse(xmlData);
+    //console.log(JSON.stringify(result, null, 4));
+    expect(result).toEqual(expected);
+  });
+
 });
diff --git a/src/fxp.d.ts b/src/fxp.d.ts
@@ -285,6 +285,13 @@ export type X2jOptions = {
    * Defaults to `100`
    */
   maxNestedTags?: number;
+
+  /**
+   * Whether to strictly validate tag names
+   * 
+   * Defaults to `true`
+   */
+  strictReservedNames?: boolean;
 };
 
 
diff --git a/src/xmlparser/OptionsBuilder.js b/src/xmlparser/OptionsBuilder.js
@@ -39,6 +39,7 @@ export const defaultOptions = {
   // skipEmptyListItem: false
   captureMetaData: false,
   maxNestedTags: 100,
+  strictReservedNames: true,
 };
 
 /**
diff --git a/src/xmlparser/OrderedObjParser.js b/src/xmlparser/OrderedObjParser.js
@@ -163,6 +163,7 @@ function buildAttributesMap(attrStr, jPath, tagName) {
           aName = this.options.transformAttributeName(aName);
         }
         if (aName === "__proto__") aName = "#__proto__";
+
         if (oldVal !== undefined) {
           if (this.options.trimValues) {
             oldVal = oldVal.trim();
@@ -322,6 +323,13 @@ const parseXml = function (xmlData) {
           tagName = newTagName;
         }
 
+        if (this.options.strictReservedNames &&
+          (tagName === this.options.commentPropName
+            || tagName === this.options.cdataPropName
+          )) {
+          throw new Error(`Invalid tag name: ${tagName}`);
+        }
+
         //save text as child node
         if (currentNode && textData) {
           if (currentNode.tagname !== '!xml') {
