switch from xmldom to @xmldom/xmldom

[mtica]

xmldom is no longer maintained and is affected by https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39353

Please switch to https://www.npmjs.com/package/@xmldom/xmldom - the upgrade should be trivial as @xmldom/xmldom
is developed by the same team and is fully backwards compatible.

[billpatrianakos]

Thank you for the heads up. I would absolutely merge a change if someone made a pull request.

At this point in time I don't maintain any projects that use SAML in a JS environment and I've also archived all of those projects from my dev machine after buying a new one so just the setup alone would be tons of work for me. I keep this project up because I know there aren't any easy to use SAML libraries for Node around. If you or others think it's better I take this code down rather than let it hang out on the web with a vulnerability I'm open to that as well.

[rajpal1]

Thank you for the heads up. In my case, when I use the new version of @xmldom/xmldom, it doesn't work for some users, while it works in other cases. When I use the old version of xmldom, it works for all users.

Errors encountered:

[rajpal1]

Thank you for the heads up. In my case, when I use the new version of @xmldom/xmldom, it doesn't work for some users, while it works in other cases. When I use the old version of xmldom, it works for all users.

Errors encountered:

Hi got the solution

old changes

// Saml2js.parse
// -------------
// Private function.
// Parses raw SAML assertion to JS object.
Saml2js.prototype.parse = function(saml) {
var xml = new Buffer(saml, 'base64').toString('ascii'),
doc = new xmldom.DOMParser().parseFromString(xml),
profile = {};

var attributes = xpath.select('//[local-name() = "AttributeStatement"]/', doc);
attributes.forEach(function(attribute){
var name = xpath.select('string(@name)', attribute);
profile[_.camelCase(name)] = xpath.select('string(*[local-name() = "AttributeValue"]/text())', attribute);
});

latest changes in code

// Saml2js.parse
// -------------
// Private function.
// Parses raw SAML assertion to JS object.
Saml2js.prototype.parse = function(saml) {
var xml = Buffer.from(saml, 'base64').toString('utf-8'),
doc = new xmldom.DOMParser().parseFromString(xml),
profile = {};

var attributes = xpath.select('//[local-name() = "AttributeStatement"]/', doc);
attributes.forEach(function(attribute){
var name = xpath.select('string(@name)', attribute);
profile[_.camelCase(name)] = xpath.select('string(*[local-name() = "AttributeValue"]/text())', attribute);
});

return profile;
};

only this line will change
[var xml = new Buffer(saml, 'base64').toString('ascii')] change to [var xml = Buffer.from(saml, 'base64').toString('utf-8')]

and now code will work both samle