(Expat logo)

Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). An introductory article on using Expat is available on xml.com.

This project aims to maintain Expat for both current and future users while improving the API to allow more reliable and robust access from "scripting" languages such as Python and Perl. We invite the community to participate on the mailing lists to help shape the future of Expat.


12 March 2016, Expat 2.1.1 released.

Release 2.1.1 includes security & other bug fixes.

Security fixes

Bug fixes

  • Fix potential null pointer dereference (bug 502)
  • Symbol XML_SetHashSalt was not exported (bug 520)
  • Output of xmlwf -h was incomplete

Other changes

  • Document behavior of calling XML_SetHashSalt with salt 0 (bug 503)
  • Minor improvements to man page xmlwf(1)
  • Improvements to the experimental CMake build system
  • libtool now invoked with --verbose
24 March 2012, Expat 2.1.0 released.

Release 2.1.0 includes security & other bug fixes, new features, and updated build support.

Security fixes

New features

  • Added function XML_SetHashSalt that allows setting an initial value (salt) for hash calculations (part of the fix for bug 3496608).
  • When compiled with XML_ATTR_INFO defined, adds new API member XML_GetAttributeInfo() that allows retrieving the byte offsets for attribute names and values (patch 3446384).
  • Added CMake build system (bug 2990652, patch 3312568).
  • Added run-benchmark target to Makefile.in - relies on testdata module present in the same relative location as in the repository.

Bug fixes

  • Harmful XML_ParserCreateNS suggestion (1742315)
  • CVE-2012-1147 - Resource leak in readfilemap.c (2895533)
  • Expat build fails on linux-amd64 with gcc version>=4.1 -O3 (1785430)
  • Build modifications using autoreconf instead of buildconf.sh (1983953, 2517952, 2517962, 2649838)
  • OBJEXT and EXEEXT support while building (2815947, 2884086)
  • CVE-2009-3720 - Parser crash with special UTF-8 sequences (1990430)
  • xmlwf should return non-zero exit status if not well-formed (2517938)
  • Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml (2517946)
  • Dangling positionPtr after error (2855609)
  • CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8() (2894085)
  • CVE-2012-1148 - Memory leak in poolGrow (2958794)
  • UNEXPECTED_STATE with a trailing "%" in entity value (3010819)
  • Unitialized memory returned from XML_Parse (3206497)
  • make check fails on mingw-w64 (87849)
5 June 2007, Expat 2.0.1 released.

Release 2.0.1 of the Expat XML parser is a bugfix release resolving both code and build related issues. Changes include:

  • Fixed: The character data handler's calling of XML_StopParser() was not handled properly; if the parser was stopped and the handler set to NULL, the parser would segfault.
  • Fixed: Expat failed on EBCDIC systems as it assumed some character constants to be ASCII encoded.
  • Minor cleanups of the test harness.
  • Minor fixes for xmlwf and example programs.
  • Fixes and improvements for the Windows platform. New Windows directory structure.
  • Build fixes for various platforms: HP-UX, Tru64, Solaris 9.
  • Build fixes for Unix:
    - Refreshed config.sub/config.guess.
    - Support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features.
    - Patched configure.in to work better with Intel compiler.
    - Fixes to Makefile.in to have make check work correctly.
  • Added Open Watcom support.

11 January 2006, Expat 2.0.0 released.

Release 2.0.0 of the Expat XML parser is the end point of the 1.95.X series of releases. The goal was to solidify and stabilize the implementation of the given API, to add desirable features as long as they fit with the API, and to keep the API backwards compatible if extensions were required. Changes include:

  • Fixed headers for use from C++.
  • XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() now return unsigned integers.
  • Added XML_LARGE_SIZE switch to enable 64-bit integers for byte indexes and line/column numbers.
  • Added support for AmigaOS.
  • Some mostly minor bug fixes. SF issues include: 1006708, 1021776, 1023646, 1114960, 1156398, 1221160, 1271642.

Old news archive

References & 3rd-party Wrappers

If you know of any additional articles or resources which should be linked to from this page, please send email to Fred Drake (fdrake@acm.org). We're especially interested in links to tutorial information and open source interfaces to Expat from languages other than C.

SourceForge.net Logo