The Expat XML Parser

Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). An introductory article on using Expat is available on xml.com.

This project aims to maintain Expat for both current and future users while improving the API to allow more reliable and robust access from "scripting" languages such as Python and Perl. We invite the community to participate on the mailing lists to help shape the future of Expat.

News

18 June 2016, Expat 2.2.0 released.

Release 2.2.0 includes security & other bug fixes.

Security fixes

CVE-2016-0718 (issue 537): Fix crash on malformed input
CVE-2016-4472: Improve insufficient fix to CVE-2015-1283 / CVE-2015-2716 introduced with Expat 2.1.1
CVE-2016-5300 (issue 499): Use more entropy for hash initialization than the original fix to CVE-2012-0876
CVE-2012-6702 (issue 519): Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 (issue 496)

Bug fixes

Fix uninitialized reads of size 1 (e.g. in little2_updatePosition)
Fix detection of UTF-8 character boundaries

Other changes

Fix compilation for Visual Studio 2010 (bug 532)
Autotools: Resolve use of "$<" to better support bmake
Autotools: Add QA script "qa.sh" (and make target "qa")
Autotools: Respect CXXFLAGS if given
Autotools: Fix "make run-xmltest"
Autotools: Have "make run-xmltest" check for expected output
CMake: Fix static build (BUILD_shared=OFF) on Windows (patch 90)
CMake: Add soversion, support -DNO_SONAME=yes to bypass (bug 536)
CMake: Add suffix "d" to differentiate debug from release (bug 323)
CMake: Define WIN32 with CMake on Windows
Annotate memory allocators for GCC
Address all currently known compile warnings
Make sure that API symbols remain visible despite -fvisibility=hidden
Remove executable flag from source files
Resolve COMPILED_FROM_DSP in favor of WIN32

Special thanks to

Björn Lindahl
Christian Heimes
Cristian Rodríguez
Daniel Krügler
Gustavo Grieco
Karl Waclawek
László Böszörményi
Pascal Cuoq
Sergei Nikulov
Thomas Beutlich
Warren Young
Yann Droneaud

12 March 2016, Expat 2.1.1 released.

Release 2.1.1 includes security & other bug fixes.

Security fixes

CVE-2015-1283 — Multiple integer overflows in the XML_GetBuffer function (bug 528)

Bug fixes

Fix potential null pointer dereference (bug 502)
Symbol XML_SetHashSalt was not exported (bug 520)
Output of xmlwf -h was incomplete

Other changes

Document behavior of calling XML_SetHashSalt with salt 0 (bug 503)
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose

24 March 2012, Expat 2.1.0 released.

Release 2.1.0 includes security & other bug fixes, new features, and updated build support.

Security fixes

Memory leak in poolGrow (CVE-2012-1148)
Resource leak in readfilemap.c (CVE-2012-1147)
Hash DOS attack (CVE-2012-0876)
Buffer over-read and crash in big2_toUtf8 (CVE-2009-3560)
Parser crash with special UTF-8 sequences (CVE-2009-3270)

New features

Added function XML_SetHashSalt that allows setting an initial value (salt) for hash calculations (part of the fix for bug 3496608).
When compiled with XML_ATTR_INFO defined, adds new API member XML_GetAttributeInfo() that allows retrieving the byte offsets for attribute names and values (patch 3446384).
Added CMake build system (bug 2990652, patch 3312568).
Added run-benchmark target to Makefile.in - relies on testdata module present in the same relative location as in the repository.

Bug fixes

Harmful XML_ParserCreateNS suggestion (1742315)
CVE-2012-1147 - Resource leak in readfilemap.c (2895533)
Expat build fails on linux-amd64 with gcc version>=4.1 -O3 (1785430)
Build modifications using autoreconf instead of buildconf.sh (1983953, 2517952, 2517962, 2649838)
OBJEXT and EXEEXT support while building (2815947, 2884086)
CVE-2009-3720 - Parser crash with special UTF-8 sequences (1990430)
xmlwf should return non-zero exit status if not well-formed (2517938)
Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml (2517946)
Dangling positionPtr after error (2855609)
CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8() (2894085)
CVE-2012-1148 - Memory leak in poolGrow (2958794)
UNEXPECTED_STATE with a trailing "%" in entity value (3010819)
Unitialized memory returned from XML_Parse (3206497)
make check fails on mingw-w64 (87849)

5 June 2007, Expat 2.0.1 released.

Release 2.0.1 of the Expat XML parser is a bugfix release resolving both code and build related issues. Changes include:

Fixed: The character data handler's calling of XML_StopParser() was not handled properly; if the parser was stopped and the handler set to NULL, the parser would segfault.
Fixed: Expat failed on EBCDIC systems as it assumed some character constants to be ASCII encoded.
Minor cleanups of the test harness.
Minor fixes for xmlwf and example programs.
Fixes and improvements for the Windows platform. New Windows directory structure.
Build fixes for various platforms: HP-UX, Tru64, Solaris 9.
Build fixes for Unix:
- Refreshed config.sub/config.guess.
- Support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features.
- Patched configure.in to work better with Intel compiler.
- Fixes to Makefile.in to have make check work correctly.
Added Open Watcom support.

11 January 2006, Expat 2.0.0 released.

Release 2.0.0 of the Expat XML parser is the end point of the 1.95.X series of releases. The goal was to solidify and stabilize the implementation of the given API, to add desirable features as long as they fit with the API, and to keep the API backwards compatible if extensions were required. Changes include:

Fixed headers for use from C++.
XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() now return unsigned integers.
Added XML_LARGE_SIZE switch to enable 64-bit integers for byte indexes and line/column numbers.
Added support for AmigaOS.
Some mostly minor bug fixes. SF issues include: 1006708, 1021776, 1023646, 1114960, 1156398, 1221160, 1271642.

Old news archive

References & 3rd-party Wrappers

If you know of any additional articles or resources which should be linked to from this page, please send email to Fred Drake (fdrake@acm.org). We're especially interested in links to tutorial information and open source interfaces to Expat from languages other than C.

James Clark's original Expat page, for Expat 1.2 and earlier
Introductory article on using Expat on xml.com
LuaExpat is a wrapper around Expat for the Lua programming language. The LuaSOAP library is a SOAP implementation built on top of LuaExpat.
Perl's XML::Parser module is a wrapper built around a binding to Expat in the XML::Parser::Expat module.
Documentation for the Python interface to Expat, part of the standard documentation for Python.
SAXExpat.NET, a .NET wrapper for Expat, conforming to the SAX for .NET specifications.
The Simple C Expat Wrapper is a wrapper around Expat that provides a light-weight object model somewhat like a DOM.
C++ Wrappers for the Expat XML Parser, an article by Tim Smith providing object-oriented wrappers for Expat. The wrappers use some MFC-biased naming, but look interesting.
Arabica -- an XML Parser toolkit for C++ programmers, with SAX2 implementations based on several parsers, including Expat.
ExpatMM -- C++ interface to Expat
SAX2 Wrapper for using Expat in Delphi, based on "SAX for Pascal" interface specs
The TclXML project includes a Tcl binding for Expat
tDOM is an alternate package providing XML support for Tcl, based in part on Expat.
Article on using Expat from PHP on <?PHPBuilder?>
(broken into lots of tiny pieces)
Objective-C interface to Expat
OCaml Expat is a wrapper around Expat for the Objective Caml language.
Ruby interface to Expat
XML Tools 2 is an AppleScript scripting addition that allows AppleScript applications to work with XML data; it is based on Expat.
Simkin is an open source scripting language available under the GNU LGPL. It can be embedded in XML and supports a DOM-like API backed by Expat.
EasySoap is a C++ SOAP implementation which uses Expat.
A discussion of another way to manage stateful callbacks, using Expat as a sample library.
The GOBO project is working on an Eiffel binding for Expat. Development is active and the package is fully supported in GOBO 3.0 and 3.1, though there isn't much status information about the Expat bindings on the website. (Most activity is reportedly on the relevant mailing lists.)
Expat4D is a plug-in for the 4th Dimension application framework.