Security Advisories (3)

CVE-2015-3451 (2015-04-23)

The _clone function does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function.

https://metacpan.org/changes/distribution/XML-LibXML

CVE-2017-10672 (2015-04-23)

Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call.

CVE-2026-8177 (2026-05-10)

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

NAME

XML::LibXML::SAX::Parser - LibXML DOM based SAX Parser

SYNOPSIS

my $handler = MySAXHandler->new();
my $parser = XML::LibXML::SAX::Parser->new(Handler => $handler);
$parser->parse_uri("foo.xml");

DESCRIPTION

This class allows you to generate SAX2 events using LibXML. Note that this is not a stream based parser, instead it parses documents into a DOM and traverses the DOM tree. The reason being that libxml2's stream based parsing is extremely primitive, and would require an extreme amount of work to allow SAX2 parsing in a stream manner.

WARNING

WARNING WARNING WARNING

This is NOT a streaming SAX parser. As I said above, this parser reads the entire document into a DOM and serialises it. Some people couldn't read that in the paragraph above so I've added this warning.

There are many reasons, but if you want to write a proper SAX parser using the libxml2 library, please feel free and send it along to me.

API

The API is exactly the same as any other Perl SAX2 parser. See XML::SAX::Intro for details.

Aside from the regular parsing methods, you can access the DOM tree traverser directly, using the generate() method:

my $parser = XML::LibXML::SAX::Parser->new(...);
$parser->generate($dom_tree);

This is useful for serializing DOM trees, for example that you might have done prior processing on, or that you have as a result of XSLT processing.

To install XML::LibXML, copy and paste the appropriate command in to your terminal.

cpanm

cpanm XML::LibXML

CPAN shell

perl -MCPAN -e shell
install XML::LibXML

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

NAME

SYNOPSIS

DESCRIPTION

WARNING

API

Module Install Instructions

Keyboard Shortcuts