unescapeXML decodes any numeric entity, not just a whitelisted set

This allows unescapeXML to correctly parse strings like @ (@) and complex sequences like 🐍 (U+1F40D, Snake).
xmppjs · Jun 15, 2018 · 40ab541 · 40ab541
1 parent 29275d7
commit 40ab541
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/lib/escape.js b/lib/escape.js
@@ -26,6 +26,13 @@ var unescapeXMLTable = {
 }
 
 function unescapeXMLReplace (match) {
+  if (match[1] === '#') {
+    if (match[2] === 'x') {
+      return String.fromCodePoint(parseInt(match.slice(3), 16))
+    } else {
+      return String.fromCodePoint(parseInt(match.slice(2), 10))
+    }
+  }
   return unescapeXMLTable[match]
 }
 
@@ -34,7 +41,7 @@ exports.escapeXML = function escapeXML (s) {
 }
 
 exports.unescapeXML = function unescapeXML (s) {
-  return s.replace(/&(amp|#38|lt|#60|gt|#62|quot|#34|apos|#39);/g, unescapeXMLReplace)
+  return s.replace(/&(amp|lt|gt|quot|apos|#x[0-9a-fA-F]+|#[0-9]+);/g, unescapeXMLReplace)
 }
 
 exports.escapeXMLText = function escapeXMLText (s) {