Skip to content

fix(validator): reject numeric character references with no digits (&#; and &#x;)#840

Open
sravan27 wants to merge 1 commit into
NaturalIntelligence:masterfrom
sravan27:fix-empty-charref-validation
Open

fix(validator): reject numeric character references with no digits (&#; and &#x;)#840
sravan27 wants to merge 1 commit into
NaturalIntelligence:masterfrom
sravan27:fix-empty-charref-validation

Conversation

@sravan27

@sravan27 sravan27 commented Jun 15, 2026

Copy link
Copy Markdown

Bug

XMLValidator.validate reports malformed numeric character references as valid:

const { XMLValidator } = require("fast-xml-parser");
XMLValidator.validate("<r>&#x;</r>"); // true  (should be invalid)
XMLValidator.validate("<r>&#;</r>");  // true  (should be invalid)
XMLValidator.validate("<r>&#xG;</r>");// {err:...} invalid  (control — bad hex IS rejected)

Per the XML 1.0 CharRef production, a numeric reference must contain at least one digit (&#[0-9]+; or &#x[0-9a-fA-F]+;). &#; and &#x; have none.

Cause

src/validator.js, validateNumberAmpersand: the scan loop checks for ; before requiring any digit, so a ; immediately following &# or &#x returns a success index with zero digits consumed.

for (; i < xmlData.length; i++) {
  if (xmlData[i] ===

@sravan27
fix(validator): reject numeric char refs with no digits (&#; and &#x;)
fb0ead5 
validateNumberAmpersand returned success on a ';' immediately following
'&#' or '&#x', so XMLValidator.validate marked '<r>&#x;</r>' and
'<r>&#;</r>' as valid. XML 1.0 requires at least one digit in a CharRef.
@amitguptagwl

amitguptagwl commented Jun 16, 2026

Copy link
Copy Markdown
Member

@sarahdayan , please try with 'fast-xml-validator' and let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sravan27 @amitguptagwl