DEV Community: lenavonmilize The latest articles on DEV Community by lenavonmilize (@lenavonmilize). https://dev.to/lenavonmilize https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3928163%2F7b4104fd-e5a8-4fab-8e6c-94e571f0735d.jpg DEV Community: lenavonmilize https://dev.to/lenavonmilize en xml2json XML injection lenavonmilize Wed, 13 May 2026 00:44:00 +0000 https://dev.to/lenavonmilize/xml2json-xml-injection-3i4f https://dev.to/lenavonmilize/xml2json-xml-injection-3i4f <h2> Description </h2> <p>The <code>toXml()</code> function provides a <code>sanitize</code> option that developers enable to protect XML output from injection. However, sanitization is only applied to <strong>attribute values</strong> and <strong>text content</strong> and never to <strong>tag names or attribute names</strong>. An attacker who controls JSON object keys can inject arbitrary XML attributes and elements into the output, bypassing sanitization entirely.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8hhzhdz5l5zd5yuwc8rq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8hhzhdz5l5zd5yuwc8rq.png" alt=" " width="675" height="745"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnooja735mcyt7o18u2s0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnooja735mcyt7o18u2s0.png" alt=" " width="800" height="211"></a></p> <h2> Impact </h2> <p>Applications that:</p> <ol> <li>Accept JSON input where keys are user-controlled (fe dynamic XML builders)</li> <li>Call <code>toXml(userJson, { sanitize: true })</code> expecting safe output</li> <li>Render or forward the resulting XML to a browser or downstream XML parser</li> </ol> cve