XmlParse

Last update:

May 18, 2026

Description

Converts XML text into an XML document object.

Returns

An XML document object.

Function syntax

XmlParse(xmlText [, caseSensitive ], validator])

History

ColdFusion MX 7:

Added the validator parameter.
Added support for filenames and URLs in the xmlText parameter.
Added support for relative URLs and pathnames. ColdFusion MX: Added this function.

Parameters

Parameter	Description
xmlText	Any of the following: A string containing XML text. The name of an XML file. The URL of an XML file; valid protocol identifiers include http, https, ftp, and file.
caseSensitive	Yes: maintains the case of document elements and attributes. No: Default
validator	Any of the following: The name of a Document Type Definition (DTD) or XML Schema file. The URL of a DTD or Schema file; valid protocol identifiers include http, https, ftp, and file. A string representation of a DTD or Schema. An empty string; in this case, the XML file must contain an embedded DTD or Schema identifier, which is used to validate the document.
parseroptions	To disable XXE and other attacks, use the following attributes: ALLOWEXTERNALENTITIES: Whether to allow any external source or file. Accepts Yes or No. ENTITYEXPANSIONLIMIT defines the maximum number of entity substitutions the XML parser permits in a document. See the example at the end.

Usage

If you specify a relative URL or pathname in a parameter, ColdFusion uses the directory (or, for URLs, the logical directory) that contains the current ColdFusion page as the path root. The caseSensitive parameter value determines whether identifiers whose characters are of varying case, but are otherwise the same, refer to different components; for example:

If true, the element or attribute names "name" and "NAME" refer to different elements or attributes.
If false, these names refer to the same elements or attributes.

If your XML object is case sensitive, you cannot use dot notation to reference an element or attribute name. Use the name in associative array (bracket) notation, or a reference that does not use the case-sensitive name (such as xmlChildren1) instead. In the following code, the first line will work with a case-sensitive XML object. The second and third lines cause errors:

MyDoc.xmlRoot.XmlAttributes["Version"] = "12b"; 

MyDoc.xmlRoot.XmlAttributes.Version = "12b"; 

MyDoc.MyRoot.XmlAttributes["Version"] = "12b";

The optional validator parameter specifies a DTD or Schema to use to validate the document. If the parser encounters a validation error, ColdFusion generates an error and stops parsing the document. Specify a validator parameter to make the XmlParse function validate your document. If you do not specify a validator parameter, the XML file must specify the DTD or schema using thexsi:noNamespaceSchemaLocation tag. If you specify a validator parameter, also specify a caseSensitive parameter.
Note: If you specify an empty string as the third parameter to the XMLParse function and specify a validator such as xsi:noNamespaceSchemaLocation within an XML document, it must specify a complete URL. However, with XMLValidate, it can be just a filename that is found relative to the CFML template doing validation.
If you do not specify a validator parameter, the xmlTextparameter can specify a well-formed XML fragment, and does not have to specify a complete document.
Note: To convert an XML document object back into a string, use the ToString function.

Preventing XXE vulnerabilities

Disable the resolution of external XML entities to protect against XML External Entity (XXE) vulnerabilities. XXE is a type of security flaw that allows attackers to inject malicious XML and potentially read sensitive files, access internal systems, or cause denial-of-service conditions during XML parsing.

To prevent this, you can disable external entity resolution by setting parseroptions.ALLOWEXTERNALENTITIES = false. See the examples for more information.

Example

The following example has three parts: an XML file, a DTD file, and a CFML page that parses the XML file and uses the DTD for validation. The CFML file displays the returned XML document object. To show the results of invalid XML, modify the bmenuD.xml.

Note: The DTD used in the following example represents the same XML structure as the Schema used in the XmlValidate example

The custorder.xml file is as follows:

<?xml version="1.0" encoding="UTF-8"?> 

<!DOCTYPE order SYSTEM "C:\ColdFusion\wwwroot\examples\custorder.dtd"> 

<order id="4323251"> 

    <customer firstname="Philip" lastname="Cramer" accountNum="21"/> 

    <items> 

        <item id="43"> 

            <name>    Deluxe Carpenter&apos;s Hammer</name> 

            <quantity>1</quantity> 

            <unitprice>15.95</unitprice> 

        </item> 

        <item id="54"> 

            <name>    36&quot; Plastic Rake</name> 

            <quantity>2</quantity> 

            <unitprice>6.95</unitprice> 

        </item> 

        <item id="68"> 

            <name>    Standard paint thinner</name> 

            <quantity>3</quantity> 

            <unitprice>8.95</unitprice> 

        </item> 

    </items> 

</order>

The custorder.dtd file is as follows:

<!ELEMENT order (customer, items)> 

<!ATTLIST order 

    id CDATA #REQUIRED> 

<!ELEMENT customer EMPTY> 

<!ATTLIST customer 

    firstname CDATA #REQUIRED 

    lastname CDATA #REQUIRED 

    accountNum CDATA #REQUIRED> 

<!ELEMENT items (item+)> 

<!ELEMENT item (name, quantity, unitprice)> 

<!ATTLIST item  

    id CDATA #REQUIRED> 

<!ELEMENT name (#PCDATA)> 

<!ELEMENT quantity (#PCDATA)> 

<!ELEMENT unitprice (#PCDATA)>

The CFML file is as follows. It uses a filename for the XML file and a URL for the DTD. Note that the XML and URL paths must be absolute.

<cfset 

myDoc=XMLParse("C:\ColdFusion\wwwroot\examples\custorder.xml", 

false, "http://localhost:8500/examples/custorder.dtd")> 

Dump of myDoc XML document object<br> 

<cfdump var="#myDoc#">

If you want to disable XXE, see the sample code below:

<cfset parseroptions = structnew()>

<!--- Prevent XML External Entity (XXE) vulnerabilities --->

<cfset parseroptions.ALLOWEXTERNALENTITIES = false>

<cfset parseroptions. ENTITYEXPANSIONLIMIT=64000>

<cfscript>

      a = XmlParse("file.xml", false, parseroptions);

      writeDump(a);

</cfscript>

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!