Auto float parsing crashes on alphanumeric text containing scientific-notation-like patterns (e.g. emails)

[abbas-dzinehub]

Description:

We are encountering a runtime crash when parsing certain XML text nodes that contain alphanumeric strings, where the library attempts to auto-parse them as floats.

This happens when the text value starts with digits and contains e followed by digits, which makes it resemble scientific notation, even though the value is not numeric.

Example real-world value (from eBay webhook XML):

00872437306050e5473d@members.ebay.com

This is a valid anonymized email address, but during XML → JSON conversion the library attempts to parse it as a float and crashes.

Actual Error

** (ArgumentError) errors were found at the given arguments:
  * 1st argument: not a textual representation of a float

:erlang.binary_to_float("00872437306050.0e5473")

The library appears to attempt numeric coercion using Float.parse/1 on all text nodes.
In this case 00872437306050e5473d is interpreted as scientific notation: 00872437306050e5473

which causes Erlang to attempt :erlang.binary_to_float("00872437306050.0e5473")

Note:
A similar anonymized email does not crash:

008711ae951cdda45353@members.ebay.com

Because the presence of non-numeric letters earlier prevents float parsing.

This means the crash depends on specific random ID patterns, making it unpredictable in production.

Expected Behavior

• Alphanumeric text values (emails, IDs, SKUs, references) should remain strings
• Numeric parsing should only occur when the entire string is numeric
• XML → JSON conversion should never crash on valid XML text content

Suggested Fix

Only coerce to float when the entire string is numeric.

For example:

case Float.parse(value) do
  {float, ""} -> float
  _ -> value
end

or using a strict regex:

if Regex.match?(~r/^[+-]?\d+(\.\d+)?$/, value) do
  String.to_float(value)
else
  value
end

This prevents accidental parsing of emails, IDs, SKUs, etc.

Thank you.

[bennyhat]

Thanks! I'll get a bug fix for this out hopefully by end of week at worst

[bennyhat]

Hi, I looked into this some more and I'm unable to reproduce, even with an older OTP and Elixir

Can you provide:

• Simple XML sample for reproducing
• Elixir and OTP version used
• xml_json version used

Unable to reproduce with:

• Elixir 1.10.4 with OTP 23
• Version 0.5.0
• Tested parker deserializer with <root>008711ae951cdda45353@members.ebay.com</root> - no errors - converts to string as desired
• Tested aws deserializer with <root>008711ae951cdda45353@members.ebay.com</root> - no errors - converts to string as desired
• Tested badgerfish deserializer with <email>008711ae951cdda45353@members.ebay.com</email> - converts to string as desired

It's also worth noting that the common float parsing already does this and has since version 0.3.0. The rescue is to work with older OTP versions that raise on strings like 008711ae951cdda45353@members.ebay.com

  defp float_parse(value) do
    case Float.parse(value) do
      {parsed, ""} -> parsed
      _ -> :error
    end
  rescue
    _ -> :error
  end

[abbas-dzinehub]

Hi Benny,

My apologies. Please ignore this.
It works fine with your module.
For this particular call, a different module was being called for, which we did not realize.

Thank you for your reply anyway.