Revision history for XML-Simple
+2.25 2018-03-18 16:18:24+13:00 Pacific/Auckland
+ - disable entity expansion when using XML::Parser, for more secure default
+ behaviour (patch from Ray Morris)
+ - call to XML::Parser constructor is now in its own method to ease overriding
+
2.24 2017-04-17 16:12:00+12:00 Pacific/Auckland
- fix typo in last commit with mistakenly removed some underscores
- don't initialise $XML::Simple::PREFERRED_PARSER to undef as a caller may
-This software is copyright (c) 2015 by Grant McLean.
+This software is copyright (c) 2018 by Grant McLean.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
--- The GNU General Public License, Version 1, February 1989 ---
-This software is Copyright (c) 2015 by Grant McLean.
+This software is Copyright (c) 2018 by Grant McLean.
This is free software, licensed under:
--- The Artistic License 1.0 ---
-This software is Copyright (c) 2015 by Grant McLean.
+This software is Copyright (c) 2018 by Grant McLean.
This is free software, licensed under:
t/9_Strict.t
t/A_XMLParser.t
t/B_Hooks.t
+t/C_External_Entities.t
t/author-pod-syntax.t
t/desertnet.src
t/lib/TagsToUpper.pm
},
"test" : {
"requires" : {
+ "File::Temp" : "0",
"Test::More" : "0.88"
}
}
"web" : "https://github.com/grantm/xml-simple"
}
},
- "version" : "2.24"
+ "version" : "2.25"
}
author:
- 'Grant McLean <grantm@cpan.org>'
build_requires:
+ File::Temp: '0'
Test::More: '0.88'
configure_requires:
ExtUtils::MakeMaker: '0'
perl: '5.008'
resources:
repository: git://github.com/grantm/xml-simple.git
-version: '2.24'
+version: '2.25'
"XML::SAX::Expat" => 0
},
"TEST_REQUIRES" => {
+ "File::Temp" => 0,
"Test::More" => "0.88"
},
- "VERSION" => "2.24",
+ "VERSION" => "2.25",
"test" => {
"TESTS" => "t/*.t"
}
my %FallbackPrereqs = (
+ "File::Temp" => 0,
"Test::More" => "0.88",
"XML::NamespaceSupport" => "1.04",
"XML::SAX" => "0.15",
This archive contains the distribution XML-Simple,
-version 2.24:
+version 2.25:
An API for simple XML files
-This software is copyright (c) 2015 by Grant McLean.
+This software is copyright (c) 2018 by Grant McLean.
This is free software; you can redistribute it and/or modify it under
the same terms as the Perl 5 programming language system itself.
name = XML-Simple
author = Grant McLean <grantm@cpan.org>
-version = 2.24
+version = 2.25
license = Perl_5
copyright_holder = Grant McLean
-copyright_year = 2015
+copyright_year = 2018
main_module = lib/XML/Simple.pm
repository = git://github.com/grantm/xml-simple.git
[Prereqs / TestRequires]
Test::More = 0.88
+File::Temp = 0
package XML::Simple;
-$XML::Simple::VERSION = '2.24';
+$XML::Simple::VERSION = '2.25';
=head1 NAME
XML::Simple - An API for simple XML files
=head1 SYNOPSIS
-You really don't want to use this module in new code. If you ignore this
+PLEASE DO NOT USE THIS MODULE IN NEW CODE. If you ignore this
warning and use it anyway, the C<qw(:strict)> mode will save you a little pain.
use XML::Simple qw(:strict);
carp "'nsexpand' option requires XML::SAX";
}
- my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}});
+ my $xp = $self->new_xml_parser();
+
my($tree);
if($filename) {
# $tree = $xp->parsefile($filename); # Changed due to prob w/mod_perl
}
+##############################################################################
+# Method: new_xml_parser()
+#
+# Simply calls the XML::Parser constructor. Override this method to customise
+# the behaviour of the parser.
+#
+
+sub new_xml_parser {
+ my($self) = @_;
+
+ my $xp = XML::Parser->new(Style => 'Tree', @{$self->{opt}->{parseropts}});
+ $xp->setHandlers(ExternEnt => sub {return $_[2]});
+
+ return $xp;
+}
+
+
##############################################################################
# Method: cache_write_storable()
#
=head1 STATUS OF THIS MODULE
-The use of this module in new code is discouraged. Other modules are available
-which provide more straightforward and consistent interfaces. In particular,
-L<XML::LibXML> is highly recommended and L<XML::Twig> is an excellent
-alternative.
+The use of this module in new code is B<strongly discouraged>. Other modules
+are available which provide more straightforward and consistent interfaces. In
+particular, L<XML::LibXML> is highly recommended and you can refer to
+L<Perl XML::LibXML by Example|http://grantm.github.io/perl-libxml-by-example/>
+for a tutorial introduction.
+
+L<XML::Twig> is another excellent alternative.
The major problems with this module are the large number of options (some of
which have unfortunate defaults) and the arbitrary ways in which these options
=over 4
+=item new_xml_parser()
+
+This method will be called when a new XML::Parser object must be constructed
+(either because XML::SAX is not installed or XML::Parser is preferred).
+
=item handle_options(direction, name => value ...)
This method will be called when one of the parsing methods or the C<XMLout()>
=head1 Basics
-=head2 What is XML::Simple designed to be used for?
+=head2 What should I use XML::Simple for?
-XML::Simple is a Perl module that was originally developed as a tool for
-reading and writing configuration data in XML format. You can use it for
-many other purposes that involve storing and retrieving structured data in
-XML.
+Nothing!
+
+It's as simple as that.
+
+Choose a better module. See
+L<Perl XML::LibXML by Example|http://grantm.github.io/perl-libxml-by-example/>
+for a gentle introduction to L<XML::LibXML> with lots of examples.
-You might also find XML::Simple a good starting point for playing with XML
-from Perl. It doesn't have a steep learning curve and if you outgrow its
-capabilities there are plenty of other Perl/XML modules to 'step up' to.
+
+=head2 What was XML::Simple designed to be used for?
+
+XML::Simple is a Perl module that was originally developed as a tool for
+reading and writing configuration data in XML format. You could use it for
+other purposes that involve storing and retrieving structured data in
+XML but it's likely to be a frustrating experience.
=head2 Why store configuration data in XML anyway?
-The many advantages of using XML format for configuration data include:
+It seemed like a good idea at the time. Now, I use and recommend
+L<Config::General> which uses a format similar to that used by the Apache web
+server. This is easier to read than XML while still allowing advanced concepts
+such as nested sections.
+
+At the time XML::Simple was written, the advantages of using XML format for
+configuration data were thought to include:
=over 4
marked up text rather than structured data, you should probably use another
module.
+If your source XML documents change regularly, it's likely that you will
+experience intermittent failures. In particular, failure to properly use the
+ForceArray and KeyAttr options will produce code that works when you get a list
+of elements with the same name, but fails when there's only one item in the
+list. These types of problems can be avoided by not using XML::Simple in the
+first place.
+
If you are working with very large XML files, XML::Simple's approach of
representing the whole file in memory as a 'tree' data structure may not be
suitable.
=head2 How do I install XML::Simple?
-If you're running ActiveState Perl, you've probably already got XML::Simple
-(although you may want to upgrade to version 1.09 or better for SAX support).
+If you're running ActiveState Perl, or
+L<Strawberry Perl|http://strawberryperl.com/> you've probably already got
+XML::Simple and therefore do not need to install it at all. But you probably
+also have L<XML::LibXML>, which is a much better module, so just use that.
If you do need to install XML::Simple, you'll need to install an XML parser
module first. Install either XML::Parser (which you may have already) or
=head2 How do I use XML::Simple?
-If you had an XML document called /etc/appconfig/foo.xml you could 'slurp' it
-into a simple data structure (typically a hashref) with these lines of code:
-
- use XML::Simple;
-
- my $config = XMLin('/etc/appconfig/foo.xml');
+If you don't know how to use XML::Simple then the best approach is to
+L<learn to use XML::LibXML|http://grantm.github.io/perl-libxml-by-example/>
+instead. Stop reading this document and use that one instead.
-The XMLin() function accepts options after the filename.
+If you are determined to use XML::Simple, it come with copious documentation,
+so L<read that|XML::Simple>.
=head2 There are so many options, which ones do I really need to know about?
--- /dev/null
+use strict;
+use warnings;
+use Test::More;
+use File::Temp qw(tempfile);
+
+eval { require XML::Parser; };
+if($@) {
+ plan skip_all => 'no XML::Parser';
+}
+
+plan tests => 2;
+
+use XML::Simple;
+
+$XML::Simple::PREFERRED_PARSER = 'XML::Parser';
+
+my ($fh, $filename) = tempfile(UNLINK => 1);
+print $fh "bad";
+close $fh;
+
+my $xml = qq(<?xml version="1.0"?>
+<!DOCTYPE foo [ <!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "file://$filename" >]>
+<creds>
+ <user>&xxe;</user>
+ <pass>mypass</pass>
+</creds>
+);
+
+my $opt = XMLin($xml);
+isnt($opt->{'user'}, 'bad', 'External entity not retrieved');
+like($opt->{'user'}, qr/^file/, 'External entity left as URL');
+
+unlink($filename) if (-f $filename);
+exit(0);
projects / platform / upstream / perl-XML-Simple.git / commitdiff