0.8.19 (older version)
From kornelski/crev-proofs copy of git.savannah.gnu.org.
This review is from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.
The current version of xml-rs is 0.8.24.
cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.
- unknown
-
May have been packaged automatically without a review
These reviews are from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.
The current version of xml-rs is 0.8.24.
0.8.16 (older version) Thoroughness: High Understanding: High
Approved without comment by kornelski on 2023-09-03
0.8.13 (older version) Thoroughness: High Understanding: High
Approved without comment by kornelski on 2023-05-24
0.8.0 (older version) Thoroughness: Medium Understanding: Medium
by MaulingMonkey on 2019-09-03
Fairly full review. Looks solid.
- My eyes glazed over a bit when going through the decode state machine.
- Some of the namespace stuff too.
- Caught netvl/xml-rs#179 at least
Pros:
- Safe code!
Cons:
- Probably slower than quick-xml
- Encoding XML not 100% bug free yet
- No DTD support (yet?)
| File | Rating | Notes |
|---|---|---|
| src/reader/parser/inside_cdata.rs | +1 | Going through tokenizer at all unnerves me slightly |
| src/reader/parser/inside_closing_tag_name.rs | +1 | |
| src/reader/parser/inside_comment.rs | +1 | |
| src/reader/parser/inside_declaration.rs | +1 | |
| src/reader/parser/inside_doctype.rs | +1 | |
| src/reader/parser/inside_opening_tag.rs | +1 | |
| src/reader/parser/inside_processing_instruction.rs | +1 | |
| src/reader/parser/inside_reference.rs | +1 | |
| src/reader/parser/mod.rs | +1 | |
| src/reader/parser/outside_tag.rs | +1 | |
| src/reader/config.rs | +1 | |
| src/reader/error.rs | +1 | |
| src/reader/events.rs | +1 | |
| src/reader/lexer.rs | +1 | |
| src/reader/mod.rs | +1 | |
| src/writer/config.rs | +1 | Two space indents by default is heresy but whatever. |
| src/writer/emitter.rs | 0 | Encodings not escaped, namespace URIs not escaped. General attributes are escaped though. CDATA containing ]]> not fixed. |
| src/writer/events.rs | +1 | |
| src/writer/mod.rs | +1 | |
| src/analyze.rs | +1 | Should really be moved to bins or examples or something. |
| src/attribute.rs | +1 | |
| src/common.rs | 0 | Caught netvl/xml-rs#179 |
| src/escape.rs | +1 | |
| src/lib.rs | +1 | |
| src/macros.rs | +1 | |
| src/name.rs | +1 | |
| src/namespace.rs | +1 | |
| src/util.rs | +1 | |
| tests/documents/sample_1_full.txt | +1 | skimmed |
| tests/documents/sample_1_short.txt | +1 | skimmed |
| tests/documents/sample_1.xml | +1 | skimmed |
| tests/documents/sample_2_full.txt | +1 | skimmed |
| tests/documents/sample_2_short.txt | +1 | skimmed |
| tests/documents/sample_2.xml | +1 | skimmed |
| tests/documents/sample_3_full.txt | +1 | skimmed |
| tests/documents/sample_3_short.txt | +1 | skimmed |
| tests/documents/sample_3.xml | +1 | skimmed |
| tests/documents/sample_4_full.txt | +1 | skimmed |
| tests/documents/sample_4_short.txt | +1 | skimmed |
| tests/documents/sample_4.xml | +1 | skimmed |
| tests/documents/sample_5_short.txt | +1 | skimmed |
| tests/documents/sample_5.xml | +1 | skimmed |
| tests/event_reader.rs | +1 | |
| tests/event_writer.rs | +1 | |
| tests/streaming.rs | +1 | |
| .cargo-ok | +1 | |
| .gitignore | +1 | |
| .travis.yml | +1 | Installs pip travis-cargo |
| Cargo.toml | +1 | |
| Cargo.toml.orig | +1 | |
| Changelog.md | +1 | |
| design.md | +1 | TODO list |
| LICENSE | +1 | MIT, matching Cargo.toml |
| Readme.md | +1 | MIT Licensed |
| Other | Rating | Notes |
|---|---|---|
| unsafe | +1 | One small use in test case, PR to remove upstream and apply deny(unsafe_code) lint. |
| fs | +1 | Only in analyze (and maybe tests?), and sanely |
| io | +1 | |
| docs | +1 | |
| tests | 0 | Needs more fuzz tests |
src/reader/parser/inside_reference.rs
| Line | What | Notes |
|---|---|---|
| 23 | predefined XML entities | Apparently these 5 are the only predefined entities in XML. Don't have to worry about the hundreds HTML supports. |
| 52 | custom XML entities | Not recursive, no XML bomb here unless DTD constructed a huge entry for extra_entities already. |
TIL
&impl ?Sized+AsRef<str>
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open xml-rs. Alternatively, you can download the tarball of xml-rs v0.8.24 or view the source online.
Packaged for Guix (crates-io)