encoding/xml: accepts names containing : followed by a character that cannot start a Name

[DemiMarie]

Go version

1.22

Output of go env in your module/workspace:

What is on https://go.dev/play as of when this issue is filed

What did you do?

Ran the following Go code:

package main

import (
	"encoding/xml"
	"fmt"
)

func main() {
	err := xml.Unmarshal([]byte(`<a:1/>`), new(interface{}))
	if err != nil {
		fmt.Printf("XML correctly rejected with error %#v", err)
	} else {
		fmt.Println("No error?")
	}
}

What did you see happen?

No error? displayed, indicating successful unmarshaling.

What did you expect to see?

Parsing should fail because a:1 isn’t a valid XML QName. This is because a QName is either one NCName (a Name with no :) or two NCNames separated by :. 1 isn’t a valid Name, so it isn’t a valid QName either.

The simplest fix (which will also fix #68393) is to remove : from the list of characters valid in a Name, and instead have nsname() work in two steps:

1. Read a Name.
2. Check if the next byte is :.
3. If it is not, unread it.
4. If it is, read another Name.

[gabyhelp]

Related Issues and Documentation

• encoding/xml: allows a colon before or after an XML name #68294
• encoding/xml: accepts invalid XML with multiple colons #20396 (closed)
• encoding/xml: Decoder doesn't recognize valid characters in entity names #3813 (closed)
• encoding/xml: XML tag name that consist of ':' doesn't get umarshaled properly #62075
• encoding/xml: Unmarshal does not properly handle NCName in XML namespaces #9775
• encoding/xml: support QName values / expose namespace bindings #12406
• encoding/xml: mismatching namespace error misses a space char #49635 (closed)
• encoding/xml: accepts XML with no space between attributes #68385

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/609377 mentions this issue: encoding/xml: treat a namespaced name as two names, not one