GHSA-x6wf-f3px-wcqx

Summary

The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output.

Details

The issue is in the DOM construction and serialization flow for processing instruction nodes.

When createProcessingInstruction(target, data) is called, the supplied data string is stored directly on the node without validation. Later, when the document is serialized, the serializer writes PI nodes by concatenating <?, the target, a space, node.data, and ?> directly.

That behavior is unsafe because processing instructions are a syntax-sensitive context. The closing delimiter ?> terminates the PI. If attacker-controlled input contains ?>, the serializer does not preserve it as literal PI content. Instead, it emits output where the remainder of the payload is treated as live XML markup.

The same class of vulnerability was previously addressed for CDATA sections (GHSA-wh4c-j3r5-mjhp / CVE-2026-34601), where ]]> in CDATA data was handled by splitting. The serializer applies no equivalent protection to processing instruction data.

Affected code

lib/dom.js — createProcessingInstruction (lines 2240–2246):

createProcessingInstruction: function (target, data) {
    var node = new ProcessingInstruction(PDC);
    node.ownerDocument = this;
    node.childNodes = new NodeList();
    node.nodeName = node.target = target;
    node.nodeValue = node.data = data;
    return node;
},

No validation is performed on data. Any string including ?> is stored as-is.

lib/dom.js — serializer PI case (line 2966):

case PROCESSING_INSTRUCTION_NODE:
    return buf.push('<?', node.target, ' ', node.data, '?>');

node.data is emitted verbatim. If it contains ?>, that sequence terminates the PI in the output...