XmlParse()

Converts an XML document that is represented as a string variable into an XML document object.


	XmlParse( xmlString=string, caseSensitive=boolean, validator=any, lenient=boolean );

Returns: Xml

Argument	Description	Default
xmlString _{string, required}	edit Any of the following: _{Alias: xmlStr, xmlText, xml}
caseSensitive _{boolean, optional}	edit Maintains the case of document elements and attributes. Default: false
validator _{any, optional}	edit Any of the following: A string containing a DTD or Schema The name of a DTD or Schema file The URL of a DTD or Schema file; valid protocol identifiers include http, https, ftp, and file A struct of `xmlFeatures` directives (since 5.4.2.20) — overrides the application-level XML security settings for this single parse call. See the usage notes below for available keys.
lenient _{boolean, optional}	edit if set to true, the parser is more lenient and forgives invalid XML and does the best to interpret it. Introduced: 5.3.8.135	false

Usage Notes

edit

Since Lucee 5.4.2 and 6.0, XML parsing is secure by default — DOCTYPE declarations and external entities are blocked to prevent XXE attacks.

You can pass a struct of xmlFeatures as the validator argument to override the security settings for a single parse call, or set this.xmlFeatures in Application.cfc for application-wide configuration.

See the XML Security with xmlFeatures recipe for full details and examples.

Examples

edit

Basic Usage

xml_stream = "
	<note>
		<to>Alice</to>
		<from>Bob</from>
		<heading>Reminder</heading>
		<body>Here is the message you requested.</body>
	</note>
";
dump( XmlParse( xml_stream ) );

Parsing XML with DOCTYPE (xmlFeatures override)

By default, XML containing a DOCTYPE declaration is blocked. To parse such XML, pass an xmlFeatures struct as the validator argument:

xmlWithDoctype = '<?xml version="1.0"?>
	<!DOCTYPE hibernate-mapping PUBLIC
		"-//Hibernate/Hibernate Mapping DTD 3.0//EN"
		"http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd">
	<hibernate-mapping></hibernate-mapping>';
// this will throw an error with secure defaults
try {
	doc = xmlParse( xmlWithDoctype );
	echo( "parsed ok" );
} catch ( e ) {
	echo( "Blocked: " & e.message );
}
echo( "<br><br>" );
// override xmlFeatures to allow DOCTYPE for this call only
doc = xmlParse( xmlWithDoctype, false, {
	"secure": false,
	"disallowDoctypeDecl": false,
	"externalGeneralEntities": false
} );
echo( "Parsed with override: " & doc.xmlRoot.xmlName );

See the XML Security with xmlFeatures recipe for more details.

Related System Properties / Environment Variables

LUCEE_XMLFEATURES_OVERRIDE_DISABLE - Boolean value to disable overriding XML parser features for security reasons
Type: boolean, Default: false

XmlParse()

Usage Notes

Examples

Related System Properties / Environment Variables

See also