NaturalIntelligence
diff --git a/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎docs/v4/2.XMLparseOptions.md‎
Lines changed: 6 additions & 1 deletion b/‎docs/v4/2.XMLparseOptions.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎docs/v4/5.Entities.md‎
Lines changed: 141 additions & 68 deletions b/‎docs/v4/5.Entities.md‎
Lines changed: 141 additions & 68 deletions
diff --git a/‎lib/fxp.cjs‎
Lines changed: 1 addition & 1 deletion b/‎lib/fxp.cjs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/fxp.min.js‎
Lines changed: 1 addition & 1 deletion b/‎lib/fxp.min.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/fxp.min.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/fxp.min.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/fxparser.min.js‎
Lines changed: 1 addition & 1 deletion b/‎lib/fxparser.min.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/fxparser.min.js.map‎
Lines changed: 1 addition & 1 deletion b/‎lib/fxparser.min.js.map‎
Lines changed: 1 addition & 1 deletion
@@ -1,5 +1,11 @@
 <small>Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.</small>
 
+**5.3.6 / 2026-02-14**
+- Improve security and performance of entity processing
+  - new options `maxEntitySize`, `maxExpansionDepth`, `maxTotalExpansions`, `maxExpandedLength`, `allowedTags`,`tagFilter`
+  - fast return when no edtity is present
+  - improvement replacement logic to reduce number of calls
+
 
 **5.3.5 / 2026-02-08**
 - fix: Escape regex char in entity name
 
@@ -691,7 +691,12 @@ const XMLdata = `
 ```
 
 ## processEntities
-Set it to `true` (default) to process default and DOCTYPE entities. Check [Entities](./5.Entities.md) section for more detail. If you don't have entities in your XML document then it is recommended to disable it `processEntities: false` for better performance.
+- false (Recommended): The parser will recognize the `<!DOCTYPE>` and `<!ENTITY>` tags but will not perform any string substitution. This prevents Entity Expansion (DoS) attacks while allowing the rest of the XML to be parsed normally, even if the DOCTYPE internal subset is complex.
+
+- true: The parser will actively replace all `&entity;` references with their defined values. Use with caution: only enable this for trusted XML sources to avoid resource exhaustion.
+
+heck [Entities](./5.Entities.md) section for more detail.
+
 ## removeNSPrefix
 
 Remove namespace string from tag and attribute names.
 
@@ -1,5 +1,4 @@
-
-Entities are the variables that can be used  in XML content to maintain consistency. Eg,
+Entities are the variables that can be used in XML content to maintain consistency. Eg,
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -19,38 +18,116 @@ Entities are the variables that can be used  in XML content to maintain consiste
 </note> 
 ```
 
-You can define your own entities using DOCTYPE. FXP by default supports following XML entities;
+You can define your own entities using DOCTYPE. FXP by default supports following XML entities:
 
 | Entity name | Character | Decimal reference | Hexadecimal reference |
 | :---------- | :-------- | :---------------- | :-------------------- |
-| quot        | "         | `&#34;`             | `&#x22;`                |
-| amp         | &         | `&#38;`             | `&#x26;`                |
-| apos        | '         | `&#39;`             | `&#x27;`                |
-| lt          | <         | `&#60;`             | `&#x3C;`                |
-| gt          | >         | `&#62;`             | `&#x3E;`                |
+| quot        | "         | `&#34;`           | `&#x22;`              |
+| amp         | &         | `&#38;`           | `&#x26;`              |
+| apos        | '         | `&#39;`           | `&#x27;`              |
+| lt          | <         | `&#60;`           | `&#x3C;`              |
+| gt          | >         | `&#62;`           | `&#x3E;`              |
+
+## processEntities Configuration
+
+**Type:** `Boolean | Object`  
+**Default:** `true`
+
+Controls how the parser handles XML entities with built-in security protections.
+
+### Basic Usage
+
+```js
+// Disable entity processing (recommended for untrusted XML)
+const parser = new XMLParser({ 
+  processEntities: false 
+});
+
+// Enable with default security limits (safe for most use cases)
+const parser = new XMLParser({ 
+  processEntities: true 
+});
+```
+
+### Security Limits (Advanced)
+
+When `processEntities: true`, the parser applies these default limits to prevent denial-of-service attacks:
+
+```js
+const parser = new XMLParser({
+  processEntities: {
+    enabled: true,              // Master switch
+    maxEntitySize: 10000,       // Max 10KB per entity definition
+    maxTotalExpansions: 1000,   // Max 1000 entity replacements total
+    maxExpandedLength: 100000   // Max 100KB total expanded content
+  }
+});
+```
+
+**Recommendations:**
+- **For untrusted XML:** Use `processEntities: false` 
+- **For trusted XML with entities:** Use `processEntities: true` (default limits are safe)
+- **For custom security needs:** Configure limits based on your requirements
+
+### How It Works
+
+**When `false`:**
+- The parser recognizes `<!DOCTYPE>` and `<!ENTITY>` tags
+- Entity references like `&writer;` are **not** replaced - they remain as-is in the output
+- Prevents Entity Expansion attacks while allowing DOCTYPE parsing
+- **Best for:** Public APIs, untrusted XML sources, maximum security
+
+**When `true`:**
+- The parser actively replaces all `&entity;` references with their defined values
+- Security limits prevent resource exhaustion attacks
+- **Best for:** Internal systems, trusted XML sources, when entities are needed
 
-However, since the entity processing can impact the parser's performance drastically, you can use `processEntities: false` to disable it.
+### Security Protections
+
+FXP includes multiple defense layers against entity expansion attacks:
+
+1. **Entity Size Limit:** Prevents individual entities from being too large
+2. **Expansion Count Limit:** Prevents too many entity replacements
+3. **Total Size Limit:** Prevents output from growing too large
+4. **Parameter Entity Blocking:** Entities containing `&` are automatically ignored
+
+These protections defend against:
+- Billion Laughs attack (exponential entity expansion)
+- Memory exhaustion attacks
+- CPU exhaustion attacks
+
+**Example of blocked attack:**
+```xml
+<!DOCTYPE foo [
+  <!ENTITY big "AAAAA..."> <!-- 50KB entity -->
+]>
+<root>&big;&big;&big;...</root> <!-- 1000+ repetitions -->
+```
+This would be blocked at the entity definition stage or during expansion, preventing resource exhaustion.
+
+## XML Builder
+
+XML Builder decodes default entities automatically. Eg:
 
-XML Builder decodes default entities value. Eg
 ```js
 const jsObj = {
-            "note": {
-                "@heading": "Reminder > \"Alert",
-                "body": {
-                    "#text": " 3 < 4",
-                    "attr": "Writer: Donald Duck."
-                },
-            }
-        };
-
-        const options = {
-            attributeNamePrefix: "@",
-            ignoreAttributes:    false,
-            // processEntities: false
-        };
-        const builder = new XMLBuilder(options);
-        const output = builder.build(jsObj);
+    "note": {
+        "@heading": "Reminder > \"Alert",
+        "body": {
+            "#text": " 3 < 4",
+            "attr": "Writer: Donald Duck."
+        },
+    }
+};
+
+const options = {
+    attributeNamePrefix: "@",
+    ignoreAttributes: false,
+};
+const builder = new XMLBuilder(options);
+const output = builder.build(jsObj);
 ```
+
 Output:
 ```xml
 <note heading="Reminder &gt; &quot;Alert">
@@ -61,9 +138,9 @@ Output:
 </note>
 ```
 
-## Side effects
+## Side Effects
 
-Though FXP doesn't silently ignores entities with `&` in the values, following side effects are possible
+FXP silently ignores entities with `&` in their values for security. However, be aware of how multiple entities interact:
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -81,10 +158,10 @@ Though FXP doesn't silently ignores entities with `&` in the values, following s
 </note> 
 ```
 
-Output
+Output:
 
 ```js
- {
+{
     "note": {
         "heading": "Reminder",
         "body": {
@@ -96,61 +173,57 @@ Output
 }
 ```
 
-To deal with such situation, use `&amp;` instead of `&` in XML document.
+To deal with literal ampersands, use `&amp;` in your XML document.
 
-## Attacks
+## Security Note
 
-Following attacks are possible due to entity processing
+While FXP blocks many entity-based attacks through its security limits and by rejecting entities with `&` in values, the following attack vectors are mitigated:
 
-* Denial-of-Service Attacks
-* Classic XXE
-* Advanced XXE
-* Server-Side Request Forgery (SSRF)
-* XInclude
-* XSLT
+* **Denial-of-Service Attacks:** Blocked by size and expansion limits
+* **Classic XXE:** External entities are not supported
+* **Parameter Entities:** Automatically ignored
+* **Recursive Entities:** Blocked by refusing entities containing `&`
 
-Since FXP doesn't allow entities with `&` in the values, above attacks should not work.
+**When `processEntities: false`:** All entity expansion is disabled, providing maximum security for untrusted XML.
 
 ## HTML Entities
 
-Following HTML entities are supported by the parser by default when `htmlEntities: true`.
+Following HTML entities are supported when `htmlEntities: true`:
 
 | Result | Description                        | Entity Name | Entity Number |
 | :----- | :--------------------------------- | :---------- | :------------ |
-|        | non-breaking space                 | `&nbsp;`      | `&#160;`        |        
-| <      | less than                          | `&lt;`        | `&#60;`         |        
-| >      | greater than                       | `&gt;`        | `&#62;`         |        
-| &      | ampersand                          | `&amp;`       | `&#38;`         |        
-| "      | double quotation mark              | `&quot;`      | `&#34;`         |        
-| '      | single quotation mark (apostrophe) | `&apos;`      | `&#39;`         |        
-| ¢      | cent                               | `&cent;`      | `&#162;`        |        
-| £      | pound                              | `&pound;`     | `&#163;`        |        
-| ¥      | yen                                | `&yen;`       | `&#165;`        |        
-| €      | euro                               | `&euro;`      | `&#8364;`       |        
-| ©      | copyright                          | `&copy;`      | `&#169;`        |        
-| ®      | registered trademark               | `&reg;`       | `&#174;`        |        
-| ₹      | Indian Rupee               | `&inr;`       | `&#8377;`        |
----
-
-In addition, [numeric character references](https://html.spec.whatwg.org/multipage/syntax.html#syntax-charref) are also supported. Both decimal (`num_dec`) and hexadecimal(`num_hex`).
-
-FXP supports rading Notations and Elements v5.2.1 onwards. However, it doesnt take any decision out of the readed values. 
-
-#TODO
-In future version of FXP, we'll be supporting more features of DOCTYPE such as `ELEMENT`, reading content for an entity from a file etc.
+|        | non-breaking space                 | `&nbsp;`    | `&#160;`      |        
+| <      | less than                          | `&lt;`      | `&#60;`       |        
+| >      | greater than                       | `&gt;`      | `&#62;`       |        
+| &      | ampersand                          | `&amp;`     | `&#38;`       |        
+| "      | double quotation mark              | `&quot;`    | `&#34;`       |        
+| '      | single quotation mark              | `&apos;`    | `&#39;`       |        
+| ¢      | cent                               | `&cent;`    | `&#162;`      |        
+| £      | pound                              | `&pound;`   | `&#163;`      |        
+| ¥      | yen                                | `&yen;`     | `&#165;`      |        
+| €      | euro                               | `&euro;`    | `&#8364;`     |        
+| ©      | copyright                          | `&copy;`    | `&#169;`      |        
+| ®      | registered trademark               | `&reg;`     | `&#174;`      |        
+| ₹      | Indian Rupee                       | `&inr;`     | `&#8377;`     |
+
+In addition, [numeric character references](https://html.spec.whatwg.org/multipage/syntax.html#syntax-charref) are supported - both decimal (`&#123;`) and hexadecimal (`&#x7B;`).
+
+FXP supports reading Notations and Elements from v5.2.1 onwards. However, it doesn't take any action based on these values.
 
 ## External Entities
 
-You can set external entities without using DOCTYPE.
+You can add external entities programmatically without using DOCTYPE:
 
 ```js
-const xmlData = `<note>&unknown;&#xD;last</note> `;
+const xmlData = `<note>&unknown;&#xD;last</note>`;
 
 const parser = new XMLParser();
-parser.addEntity("#xD", "\r"); // &unknown;\rlast
-let result = parser.parse(xmlData);
+parser.addEntity("#xD", "\r");
+let result = parser.parse(xmlData); // Output: &unknown;\rlast
 ```
 
-This way, you can also override the default entities.
+This method also allows you to override default entities.
+
+**Note:** External entities added this way bypass DOCTYPE validation but are still subject to the same security limits when `processEntities: true`.
 
-[> Next: HTML Document Parsing](./6.HTMLParsing.md)
+[> Next: HTML Document Parsing](./6.HTMLParsing.md)