Expat is an XML parser library written in C. It is a
stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).
An introductory article on using Expat is available on
This project aims to maintain Expat for both current and future
users while improving the API to allow more reliable and robust access
from "scripting" languages such as Python and Perl. We invite the
community to participate on the mailing lists to help shape the future
- 21 June 2016,
Expat 2.2.0 released.
Release 2.2.0 includes security & other bug fixes.
- Fix crash on malformed input
- Improve insufficient fix to
introduced with Expat 2.1.1
- Use more entropy for hash initialization than the original fix to
- Resolve troublesome internal call to srand that was introduced
with Expat 2.1.0 when addressing CVE-2012-0876
- Fix uninitialized reads of size 1 (e.g. in
- Fix detection of UTF-8 character boundaries
- Fix compilation for Visual Studio 2010
- Autotools: Resolve use of "$<" to better support bmake
- Autotools: Add QA script "qa.sh" (and make target "qa")
- Autotools: Respect
CXXFLAGS if given
- Autotools: Fix "make run-xmltest"
- Autotools: Have "make run-xmltest" check for expected output
- CMake: Fix static build (
BUILD_shared=OFF) on Windows
- CMake: Add soversion, support
-DNO_SONAME=yes to bypass
- CMake: Add suffix "d" to differentiate debug from release
- CMake: Define
WIN32 with CMake on Windows
- Annotate memory allocators for GCC
- Address all currently known compile warnings
- Make sure that API symbols remain visible despite
- Remove executable flag from source files
COMPILED_FROM_DSP in favor of
Special thanks to
- Björn Lindahl
- Christian Heimes
- Cristian Rodríguez
- Daniel Krügler
- Gustavo Grieco
- Karl Waclawek
- László Böszörményi
- Marco Grassi
- Pascal Cuoq
- Sergei Nikulov
- Thomas Beutlich
- Warren Young
- Yann Droneaud
- 12 March 2016,
Expat 2.1.1 released.
Release 2.1.1 includes security & other bug fixes.
- Fix potential null pointer dereference
XML_SetHashSalt was not exported
- Output of
xmlwf -h was incomplete
- Document behavior of calling
XML_SetHashSalt with salt
- Minor improvements to man page
- Improvements to the experimental CMake build system
- libtool now invoked with
- 24 March 2012,
Expat 2.1.0 released.
Release 2.1.0 includes security & other bug fixes, new
features, and updated build support.
- Added function XML_SetHashSalt that allows setting an initial
value (salt) for hash calculations (part of the fix for bug 3496608).
- When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte offsets
for attribute names and values (patch 3446384).
- Added CMake build system (bug 2990652, patch 3312568).
- Added run-benchmark target to Makefile.in - relies on testdata
module present in the same relative location as in the repository.
- Harmful XML_ParserCreateNS suggestion (1742315)
- CVE-2012-1147 - Resource leak in readfilemap.c (2895533)
- Expat build fails on linux-amd64 with gcc version>=4.1 -O3 (1785430)
- Build modifications using autoreconf instead of buildconf.sh (1983953, 2517952, 2517962, 2649838)
- OBJEXT and EXEEXT support while building (2815947, 2884086)
- CVE-2009-3720 - Parser crash with special UTF-8 sequences (1990430)
- xmlwf should return non-zero exit status if not well-formed (2517938)
- Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml (2517946)
- Dangling positionPtr after error (2855609)
- CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8() (2894085)
- CVE-2012-1148 - Memory leak in poolGrow (2958794)
- UNEXPECTED_STATE with a trailing "%" in entity value (3010819)
- Unitialized memory returned from XML_Parse (3206497)
- make check fails on mingw-w64 (87849)
- 5 June 2007,
Expat 2.0.1 released.
Release 2.0.1 of the Expat XML parser is a bugfix release
resolving both code and build related issues. Changes include:
- Fixed: The character data handler's calling of XML_StopParser()
was not handled properly; if the parser was stopped and the handler
set to NULL, the parser would segfault.
- Fixed: Expat failed on EBCDIC systems as it assumed some character
constants to be ASCII encoded.
- Minor cleanups of the test harness.
- Minor fixes for xmlwf and example programs.
- Fixes and improvements for the Windows platform.
New Windows directory structure.
- Build fixes for various platforms: HP-UX, Tru64, Solaris 9.
- Build fixes for Unix:
- Refreshed config.sub/config.guess.
- Support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features.
- Patched configure.in to work better with Intel compiler.
- Fixes to Makefile.in to have make check work correctly.
- Added Open Watcom support.
- 11 January 2006,
Expat 2.0.0 released.
Release 2.0.0 of the Expat XML parser is the end point of the
1.95.X series of releases. The goal was to solidify and stabilize
the implementation of the given API, to add desirable features as
long as they fit with the API, and to keep the API backwards compatible
if extensions were required. Changes include:
- Fixed headers for use from C++.
- XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
now return unsigned integers.
- Added XML_LARGE_SIZE switch to enable 64-bit integers for
byte indexes and line/column numbers.
- Added support for AmigaOS.
- Some mostly minor bug fixes. SF issues include: 1006708,
1021776, 1023646, 1114960, 1156398, 1221160, 1271642.
Old news archive
References & 3rd-party Wrappers
If you know of any additional articles or resources which should be
linked to from this page, please send email to Fred Drake (firstname.lastname@example.org).
We're especially interested in links to tutorial information and open
source interfaces to Expat from languages other than C.
James Clark's original Expat page, for Expat 1.2 and
Introductory article on using Expat on
LuaExpat is a
wrapper around Expat for the Lua
programming language. The LuaSOAP library is a SOAP implementation
built on top of LuaExpat.
XML::Parser module is a wrapper built around a
binding to Expat in the
Documentation for the Python interface to Expat, part of the
standard documentation for Python.
SAXExpat.NET, a .NET
wrapper for Expat, conforming to the
SAX for .NET specifications.
The Simple C Expat Wrapper
is a wrapper around Expat that provides a light-weight object model
somewhat like a DOM.
for the Expat XML Parser, an article by Tim Smith
providing object-oriented wrappers for Expat. The wrappers use
some MFC-biased naming, but look interesting.
Arabica -- an XML Parser toolkit for C++ programmers, with
SAX2 implementations based on several parsers, including Expat.
ExpatMM -- C++ interface to Expat
SAX2 Wrapper for using Expat in Delphi,
"SAX for Pascal"
The TclXML project includes a Tcl binding for Expat
tDOM is an alternate package providing XML support for Tcl, based in part on
Article on using Expat from PHP on
(broken into lots of tiny pieces)
Objective-C interface to Expat
OCaml Expat is a
wrapper around Expat for the Objective Caml language.
Ruby interface to Expat
2 is an AppleScript scripting addition that allows AppleScript
applications to work with XML data; it is based on Expat.
Simkin is an open source
scripting language available under the GNU LGPL. It can be embedded
in XML and supports a DOM-like API backed by Expat.
EasySoap is a C++
SOAP implementation which uses Expat.
A discussion of another way to manage stateful callbacks, using
Expat as a sample library.
project is working on an Eiffel binding for Expat. Development
is active and the package is fully supported in GOBO 3.0 and 3.1,
though there isn't much status information about the Expat bindings
on the website. (Most activity is reportedly on the relevant
Expat4D is a plug-in
for the 4th Dimension application