{"id":15548,"library":"body-parser-xml","title":"Express XML Body Parser","description":"`body-parser-xml` is an Express.js middleware that extends the widely used `body-parser` library, enabling applications to seamlessly parse incoming XML-formatted request bodies into JavaScript objects. Currently at stable version 2.0.5, this package integrates an `xml` method directly onto the `body-parser` object, allowing developers to handle XML APIs while working with familiar JSON-like structures. Its release cadence reflects active maintenance, with recent updates addressing Node.js version compatibility (supporting Node 10 and above) and critical security vulnerabilities, including prototype pollution and `xml2js` dependency issues. A key differentiator is its straightforward integration model, piggybacking on `body-parser`'s established middleware pattern and providing extensive options for XML parsing via the underlying `xml2js` library, such as `normalize` and `explicitArray`. This approach simplifies the handling of diverse XML content types in Express applications.","status":"active","version":"2.0.5","language":"javascript","source_language":"en","source_url":"https://github.com/fiznool/body-parser-xml","tags":["javascript","express","xml","middleware","body-parser"],"install":[{"cmd":"npm install body-parser-xml","lang":"bash","label":"npm"},{"cmd":"yarn add body-parser-xml","lang":"bash","label":"yarn"},{"cmd":"pnpm add body-parser-xml","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required as a peer dependency, `body-parser-xml` extends its functionality by adding an `xml` method.","package":"body-parser","optional":false},{"reason":"Required for `app.use()` to register the XML parsing middleware.","package":"express","optional":false},{"reason":"Internal dependency for XML parsing, its options are exposed via `xmlParseOptions`.","package":"xml2js","optional":false}],"imports":[{"note":"This module exports a function that must be called with an initialized `body-parser` object. This mutates the `body-parser` instance to add the `.xml()` method.","wrong":"const bodyParserXml = require('body-parser-xml');","symbol":"body-parser-xml initialization (CommonJS)","correct":"const bodyParser = require('body-parser'); require('body-parser-xml')(bodyParser);"},{"note":"For ESM environments, import both `body-parser` and `body-parser-xml`, then call `bodyParserXml` with the `bodyParser` instance to extend it.","wrong":"import { xml } from 'body-parser-xml';","symbol":"body-parser-xml initialization (ESM)","correct":"import bodyParser from 'body-parser'; import bodyParserXml from 'body-parser-xml'; bodyParserXml(bodyParser);"},{"note":"The `xml` method becomes available on the `bodyParser` object *after* the `body-parser-xml` module has been initialized. It's then used like any other `body-parser` middleware.","wrong":"app.use(require('body-parser-xml'));","symbol":"bodyParser.xml middleware","correct":"app.use(bodyParser.xml({ limit: '1MB' }));"}],"quickstart":{"code":"const express = require('express');\nconst bodyParser = require('body-parser');\n\n// Initialize body-parser-xml to extend body-parser\nrequire('body-parser-xml')(bodyParser);\n\nconst app = express();\n\n// Use the XML middleware\n// It parses application/xml, text/xml, and +xml content types by default\napp.use(\n  bodyParser.xml({\n    limit: '1MB', // Reject payload bigger than 1 MB\n    xmlParseOptions: {\n      normalize: true, // Trim whitespace inside text nodes\n      explicitArray: false, // Prevents elements with a single child from being an array\n    },\n  })\n);\n\n// Define a route to handle XML POST requests\napp.post('/xml-data', (req, res) => {\n  if (!req.body) {\n    return res.status(400).send('No XML body received.');\n  }\n  console.log('Received XML data:', JSON.stringify(req.body, null, 2));\n  res.json({ message: 'XML data received and parsed', data: req.body });\n});\n\n// Start the server\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n  console.log(`Server listening on port ${PORT}`);\n  console.log('Send a POST request with Content-Type: application/xml to http://localhost:3000/xml-data');\n  console.log('Example cURL:');\n  console.log(`curl -X POST -H \"Content-Type: application/xml\" -d '<root><item>Hello</item><value>123</value></root>' http://localhost:3000/xml-data`);\n});","lang":"javascript","description":"This quickstart initializes an Express server with `body-parser-xml` to parse incoming XML requests into JavaScript objects available on `req.body`. It demonstrates configuring the middleware with `limit` and `xmlParseOptions` and includes a sample route to process and respond to XML data."},"warnings":[{"fix":"Upgrade Node.js to version 10 or newer, or stick to `body-parser-xml` v1.x for legacy Node.js environments.","message":"Version 2.0.0 removed official support for Node.js versions older than 10. Users on older Node.js environments must upgrade their runtime or remain on `body-parser-xml` v1.x.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Upgrade to `body-parser-xml` version 2.0.3 or higher immediately to patch the prototype pollution vulnerability.","message":"A prototype pollution vulnerability (CVE-2022-25927) was present in versions prior to 2.0.3, allowing attackers to inject arbitrary properties into JavaScript object prototypes. This could lead to various security risks, including remote code execution or denial of service.","severity":"breaking","affected_versions":"<2.0.3"},{"fix":"Upgrade to `body-parser-xml` version 2.0.4 or higher to benefit from the updated `xml2js` dependency and associated security fixes.","message":"A reported vulnerability in the `xml2js` dependency (issue #663) affected `body-parser-xml` versions prior to 2.0.4. While specific details might vary, it indicates potential risks related to XML parsing.","severity":"breaking","affected_versions":"<2.0.4"},{"fix":"Ensure you call `require('body-parser-xml')(bodyParser);` (or its ESM equivalent) *before* attempting to use `bodyParser.xml()` in your Express application.","message":"Unlike typical middleware that are directly imported and used, `body-parser-xml` functions as an enhancer. You must pass an initialized `body-parser` object to the `body-parser-xml` module to add the `.xml()` method, rather than directly using `body-parser-xml` as middleware.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-21T00:00:00.000Z","next_check":"2026-07-20T00:00:00.000Z","problems":[{"fix":"Ensure you have called `require('body-parser-xml')(bodyParser);` (or `bodyParserXml(bodyParser);` in ESM) after requiring `body-parser`.","cause":"The `body-parser` object was not correctly extended by `body-parser-xml`.","error":"TypeError: bodyParser.xml is not a function"},{"fix":"Increase the `limit` option in `bodyParser.xml({ limit: '5MB' })` or adjust the client payload size. Default limit is '100kb'.","cause":"The incoming XML request body exceeded the configured `limit` option.","error":"Error: request entity too large"},{"fix":"Verify that the client is sending well-formed XML and that the `Content-Type` header (e.g., `application/xml`, `text/xml`) is set correctly. If using a custom type, configure the `type` option in `bodyParser.xml({ type: 'application/x-my-xml' })`.","cause":"The incoming request body is not valid XML, or the `Content-Type` header is incorrect, causing the parser to attempt to parse non-XML data as XML.","error":"XML parse error: Non-whitespace characters not allowed in prolog"}],"ecosystem":"npm"}