xml2json XML injection

Description

The toXml() function provides a sanitize option that developers enable to protect XML output from injection. However, sanitization is only applied to attribute values and text content and never to tag names or attribute names. An attacker who controls JSON object keys can inject arbitrary XML attributes and elements into the output, bypassing sanitization entirely.

Impact

Applications that:

1. Accept JSON input where keys are user-controlled (fe dynamic XML builders)
2. Call toXml(userJson, { sanitize: true }) expecting safe output
3. Render or forward the resulting XML to a browser or downstream XML parser