From b21bf9539ce028d282d4676754f0fc2caef2b95f Mon Sep 17 00:00:00 2001
From: Andkrist <k.strupen@gmail.com>
Date: Tue, 5 Mar 2019 13:22:28 +0100
Subject: [PATCH 1/2] update gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index d5733f98..f5c02731 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 node_modules/
 .tern-port
+.idea
\ No newline at end of file

From 21e154a55fb8f45e316aa0148c73d6314d270481 Mon Sep 17 00:00:00 2001
From: Andkrist <k.strupen@gmail.com>
Date: Thu, 7 Mar 2019 11:16:04 +0100
Subject: [PATCH 2/2] Set explicitChar to true when parsing xml. Now character
 content of a element should be accessed only through ._

---
 lib/passport-saml/saml.js | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/lib/passport-saml/saml.js b/lib/passport-saml/saml.js
index 8fe7e80c..a43319e0 100644
--- a/lib/passport-saml/saml.js
+++ b/lib/passport-saml/saml.js
@@ -739,6 +739,7 @@ SAML.prototype.validateRedirect = function(container, callback) {
     var dom = new xmldom.DOMParser().parseFromString(inflated.toString());
     var parserConfig = {
       explicitRoot: true,
+      explicitCharKey: true,
       tagNameProcessors: [xml2js.processors.stripPrefix]
     };
     var parser = new xml2js.Parser(parserConfig);
@@ -855,8 +856,8 @@ SAML.prototype.verifyIssuer = function (samlMessage) {
   if(this.options.idpIssuer) {
     var issuer = samlMessage.Issuer;
     if (issuer) {
-      if (issuer[0] !== this.options.idpIssuer && issuer[0]._ !== this.options.idpIssuer)
-        throw 'Unknown SAML issuer. Expected: ' + this.options.idpIssuer + ' Received: ' + issuer[0];
+      if (issuer[0]._ !== this.options.idpIssuer)
+        throw 'Unknown SAML issuer. Expected: ' + this.options.idpIssuer + ' Received: ' + issuer[0]._;
     } else {
       throw 'Missing SAML issuer';
     }
@@ -868,6 +869,7 @@ SAML.prototype.processValidlySignedAssertion = function(xml, samlResponseXml, in
   var msg;
   var parserConfig = {
     explicitRoot: true,
+    explicitCharkey: true,
     tagNameProcessors: [xml2js.processors.stripPrefix]
   };
   var nowMs = new Date().getTime();
@@ -881,8 +883,8 @@ SAML.prototype.processValidlySignedAssertion = function(xml, samlResponseXml, in
     assertion = doc.Assertion;
 
     var issuer = assertion.Issuer;
-    if (issuer) {
-      profile.issuer = issuer[0];
+    if (issuer && issuer[0]._) {
+      profile.issuer = issuer[0]._;
     }
 
     var authnStatement = assertion.AuthnStatement;
@@ -896,8 +898,8 @@ SAML.prototype.processValidlySignedAssertion = function(xml, samlResponseXml, in
     var subjectConfirmation, confirmData;
     if (subject) {
       var nameID = subject[0].NameID;
-      if (nameID) {
-        profile.nameID = nameID[0]._ || nameID[0];
+      if (nameID && nameID[0]._) {
+        profile.nameID = nameID[0]._;
 
         if (nameID[0].$ && nameID[0].$.Format) {
           profile.nameIDFormat = nameID[0].$.Format;
@@ -1061,10 +1063,10 @@ SAML.prototype.checkAudienceValidityError = function(expectedAudience, audienceR
     return new Error('SAML assertion has no AudienceRestriction');
   }
   var errors = audienceRestrictions.map(function(restriction) {
-    if (!restriction.Audience || !restriction.Audience[0]) {
+    if (!restriction.Audience || !restriction.Audience[0] || !restriction.Audience[0]._) {
       return new Error('SAML assertion AudienceRestriction has no Audience value');
     }
-    if (restriction.Audience[0] !== expectedAudience) {
+    if (restriction.Audience[0]._ !== expectedAudience) {
       return new Error('SAML assertion audience mismatch');
     }
     return null;
@@ -1083,6 +1085,7 @@ SAML.prototype.validatePostRequest = function (container, callback) {
   var dom = new xmldom.DOMParser().parseFromString(xml);
   var parserConfig = {
     explicitRoot: true,
+    explicitCharkey: true,
     tagNameProcessors: [xml2js.processors.stripPrefix]
   };
   var parser = new xml2js.Parser(parserConfig);
@@ -1116,15 +1119,15 @@ function processValidlySignedPostRequest(self, doc, callback) {
         return callback(new Error('Missing SAML LogoutRequest ID'));
       }
       var issuer = request.Issuer;
-      if (issuer) {
-        profile.issuer = issuer[0];
+      if (issuer && issuer[0]._) {
+        profile.issuer = issuer[0]._;
       } else {
         return callback(new Error('Missing SAML issuer'));
       }
 
       var nameID = request.NameID;
       if (nameID) {
-        profile.nameID = nameID[0]._ || nameID[0];
+        profile.nameID = nameID[0]._;
 
         if (nameID[0].$ && nameID[0].$.Format) {
           profile.nameIDFormat = nameID[0].$.Format;