คู่มือแปลง XML เป็น JSON: ตัวอย่าง JavaScript, Python, Java และ CLI

XML to JSON conversion is one of the most common data transformation tasks in modern software development. As organizations migrate from legacy SOAP-based web services to RESTful APIs, the need to convert XML to JSON has skyrocketed. Whether you are dealing with enterprise configuration files, RSS feeds, or SOAP API responses, an efficient XML to JSON converter saves hours of manual work. This comprehensive guide covers everything from the underlying parsing mechanics to production-ready code examples in JavaScript, Python, Java, and Bash. If you need to convert XML to JSON online right now, our free tool handles it instantly with proper attribute mapping and namespace support.

Try our free online XML to JSON converter tool instantly.

What Is XML to JSON Conversion?

XML (Extensible Markup Language) and JSON (JavaScript Object Notation) are the two most widely used data interchange formats. XML dominated enterprise computing for decades, powering SOAP web services, configuration files, and document formats like SVG, XHTML, and RSS. JSON emerged as the lightweight alternative favored by web developers for its simplicity and native JavaScript compatibility. The need to convert XML to JSON arises in numerous real-world scenarios: migrating legacy SOAP services to REST APIs, consuming third-party XML feeds in modern frontend applications, transforming configuration files for cloud-native deployments, and processing XML-based data pipelines into JSON-friendly analytics platforms.

An XML to JSON converter takes a well-formed XML document and transforms it into an equivalent JSON representation. This process involves mapping XML elements to JSON objects, handling XML attributes, text nodes, namespaces, CDATA sections, and mixed content. Because XML and JSON have fundamentally different data models (XML is a tree of named nodes with attributes; JSON is a tree of key-value pairs and arrays), the conversion is not always one-to-one. Different conversion conventions such as Badgerfish, Parker, and GData define specific rules for how attributes, text content, and namespaces map to JSON properties.

The reverse operation, JSON to XML conversion, is equally important when integrating modern services with legacy XML-based systems. Understanding both directions gives you complete flexibility in data transformation pipelines. Common use cases include: SOAP-to-REST API gateway layers, ETL pipelines that ingest XML and output JSON for Elasticsearch or MongoDB, mobile applications that consume XML RSS feeds but prefer JSON internally, and infrastructure-as-code tools that need to convert between XML and JSON configuration formats.

XML vs JSON: A Detailed Comparison

Before diving into conversion techniques, it is essential to understand the structural differences between XML and JSON. This comparison helps explain why certain edge cases arise during XML to JSON conversion:

How XML to JSON Conversion Works

The XML to JSON conversion process involves several key steps that an XML parser must handle. Understanding these steps helps you choose the right tool and anticipate edge cases:

Several established conventions define how XML structures map to JSON. The three most common are:

XML to JSON Code Examples

JavaScript: XML to JSON

In JavaScript, there are several approaches to XML to JSON conversion. The browser provides a built-in DOMParser for parsing XML, and popular npm packages like fast-xml-parser and xml2js offer robust conversion for xml to json javascript workflows:

// ===== Using fast-xml-parser (recommended) =====
// npm install fast-xml-parser

import { XMLParser, XMLBuilder } from 'fast-xml-parser';

const xml = `<?xml version="1.0" encoding="UTF-8"?>
<bookstore>
  <book id="1" category="fiction">
    <title lang="en">The Great Gatsby</title>
    <author>F. Scott Fitzgerald</author>
    <price currency="USD">10.99</price>
    <year>1925</year>
  </book>
  <book id="2" category="non-fiction">
    <title lang="en">Sapiens</title>
    <author>Yuval Noah Harari</author>
    <price currency="USD">14.99</price>
    <year>2011</year>
  </book>
</bookstore>`;

// Configure parser with attribute handling
const parser = new XMLParser({
  ignoreAttributes: false,       // preserve attributes
  attributeNamePrefix: '@_',     // prefix for attributes
  textNodeName: '#text',         // key for text content
  isArray: (name, jpath) => {    // force arrays for known collections
    return ['bookstore.book'].includes(jpath);
  },
});

const json = parser.parse(xml);
console.log(JSON.stringify(json, null, 2));
// Output:
// {
//   "bookstore": {
//     "book": [
//       {
//         "@_id": "1",
//         "@_category": "fiction",
//         "title": { "@_lang": "en", "#text": "The Great Gatsby" },
//         "author": "F. Scott Fitzgerald",
//         "price": { "@_currency": "USD", "#text": 10.99 },
//         "year": 1925
//       },
//       ...
//     ]
//   }
// }

// ===== Using DOMParser (browser built-in) =====

function xmlToJson(xmlString) {
  const parser = new DOMParser();
  const doc = parser.parseFromString(xmlString, 'text/xml');

  function nodeToJson(node) {
    const obj = {};

    // Handle attributes
    if (node.attributes && node.attributes.length > 0) {
      for (let i = 0; i < node.attributes.length; i++) {
        const attr = node.attributes[i];
        obj['@' + attr.nodeName] = attr.nodeValue;
      }
    }

    // Handle child nodes
    if (node.childNodes && node.childNodes.length > 0) {
      for (let i = 0; i < node.childNodes.length; i++) {
        const child = node.childNodes[i];
        if (child.nodeType === 1) { // Element node
          const childObj = nodeToJson(child);
          if (obj[child.nodeName]) {
            // Convert to array if duplicate element names
            if (!Array.isArray(obj[child.nodeName])) {
              obj[child.nodeName] = [obj[child.nodeName]];
            }
            obj[child.nodeName].push(childObj);
          } else {
            obj[child.nodeName] = childObj;
          }
        } else if (child.nodeType === 3) { // Text node
          const text = child.nodeValue.trim();
          if (text) {
            if (Object.keys(obj).length === 0) return text;
            obj['#text'] = text;
          }
        } else if (child.nodeType === 4) { // CDATA section
          obj['#cdata'] = child.nodeValue;
        }
      }
    }
    return obj;
  }

  const root = doc.documentElement;
  const result = {};
  result[root.nodeName] = nodeToJson(root);
  return result;
}

// ===== Using xml2js (Node.js) =====
// npm install xml2js

import { parseString } from 'xml2js';

parseString(xml, {
  explicitArray: false,
  mergeAttrs: true,
  trim: true,
}, (err, result) => {
  if (err) throw err;
  console.log(JSON.stringify(result, null, 2));
});

// ===== Streaming large XML with sax (Node.js) =====
// npm install sax

import sax from 'sax';

const saxParser = sax.createStream(true, { trim: true });
const stack = [];
let current = {};

saxParser.on('opentag', (node) => {
  const obj = {};
  if (node.attributes) {
    for (const [key, value] of Object.entries(node.attributes)) {
      obj['@' + key] = value;
    }
  }
  stack.push(current);
  current[node.name] = obj;
  current = obj;
});

saxParser.on('text', (text) => {
  if (text.trim()) current['#text'] = text.trim();
});

saxParser.on('closetag', () => {
  current = stack.pop();
});

Python: XML to JSON

For xml to json python conversion, the xmltodict library is the most popular choice. Python also offers built-in modules like xml.etree.ElementTree and security-focused defusedxml for production environments:

# ===== Using xmltodict (most popular) =====
# pip install xmltodict

import xmltodict
import json

xml_string = """<?xml version="1.0" encoding="UTF-8"?>
<catalog>
  <product id="101" category="electronics">
    <name>Wireless Mouse</name>
    <price currency="USD">29.99</price>
    <specs>
      <weight unit="g">85</weight>
      <battery>AA</battery>
      <connectivity>Bluetooth 5.0</connectivity>
    </specs>
    <tags>
      <tag>wireless</tag>
      <tag>mouse</tag>
      <tag>bluetooth</tag>
    </tags>
  </product>
</catalog>
"""

# Convert XML to Python dict (then to JSON)
data = xmltodict.parse(xml_string)
json_output = json.dumps(data, indent=2, ensure_ascii=False)
print(json_output)
# Output:
# {
#   "catalog": {
#     "product": {
#       "@id": "101",
#       "@category": "electronics",
#       "name": "Wireless Mouse",
#       "price": { "@currency": "USD", "#text": "29.99" },
#       "specs": {
#         "weight": { "@unit": "g", "#text": "85" },
#         "battery": "AA",
#         "connectivity": "Bluetooth 5.0"
#       },
#       "tags": { "tag": ["wireless", "mouse", "bluetooth"] }
#     }
#   }
# }

# Force specific elements to always be lists
data = xmltodict.parse(xml_string, force_list=('product', 'tag'))

# ===== Using defusedxml for security =====
# pip install defusedxml

import defusedxml.ElementTree as ET

# Safe parsing - blocks XXE, entity expansion, etc.
tree = ET.fromstring(xml_string)

def element_to_dict(element):
    result = {}

    # Handle attributes
    if element.attrib:
        for key, value in element.attrib.items():
            result[f'@{key}'] = value

    # Handle child elements
    children = list(element)
    if children:
        for child in children:
            child_data = element_to_dict(child)
            if child.tag in result:
                # Convert to list for repeated elements
                if not isinstance(result[child.tag], list):
                    result[child.tag] = [result[child.tag]]
                result[child.tag].append(child_data)
            else:
                result[child.tag] = child_data
    elif element.text and element.text.strip():
        if result:  # Has attributes
            result['#text'] = element.text.strip()
        else:
            return element.text.strip()

    return result

root = tree
json_data = {root.tag: element_to_dict(root)}
print(json.dumps(json_data, indent=2))

# ===== Using lxml with XPath =====
# pip install lxml

from lxml import etree

tree = etree.fromstring(xml_string.encode())

# Extract specific data with XPath, output as JSON
products = []
for product in tree.xpath('//product'):
    products.append({
        'id': product.get('id'),
        'name': product.xpath('name/text()')[0],
        'price': float(product.xpath('price/text()')[0]),
        'currency': product.xpath('price/@currency')[0],
    })
print(json.dumps(products, indent=2))

Bash / CLI: XML to JSON

For command-line workflows, tools like xq (from yq), xmlstarlet, and Python one-liners provide quick XML to JSON conversion directly from the terminal:

# ===== Using xq (part of yq, recommended) =====
# Install: pip install yq  OR  brew install yq

# Basic XML to JSON conversion
cat data.xml | xq .
# Or directly from a file
xq . data.xml

# Pretty-print with specific fields
xq '.catalog.product[] | {name: .name, price: .price}' data.xml

# Convert and save to file
xq . input.xml > output.json

# Extract specific values
xq -r '.catalog.product.name' data.xml

# ===== Using xmlstarlet =====
# Install: brew install xmlstarlet  OR  apt install xmlstarlet

# Select specific elements
xmlstarlet sel -t -v "//product/name" data.xml

# Convert to a flat key-value format
xmlstarlet sel -t \
  -m "//product" \
  -v "@id" -o "," \
  -v "name" -o "," \
  -v "price" -n data.xml

# ===== Python one-liners =====

# Quick XML to JSON from command line
python3 -c "
import xmltodict, json, sys
print(json.dumps(xmltodict.parse(sys.stdin.read()), indent=2))
" < data.xml

# Using built-in xml.etree (no pip install needed)
python3 -c "
import xml.etree.ElementTree as ET, json, sys
root = ET.parse(sys.stdin).getroot()
def to_dict(el):
    d = dict(el.attrib)
    children = list(el)
    if children:
        for c in children:
            cd = to_dict(c)
            if c.tag in d:
                if not isinstance(d[c.tag], list): d[c.tag] = [d[c.tag]]
                d[c.tag].append(cd)
            else: d[c.tag] = cd
    elif el.text and el.text.strip():
        if d: d['#text'] = el.text.strip()
        else: return el.text.strip()
    return d
print(json.dumps({root.tag: to_dict(root)}, indent=2))
" < data.xml

# ===== Using curl + xq for API responses =====

# Fetch XML API and convert to JSON
curl -s "https://api.example.com/data.xml" | xq .

# SOAP response to JSON
curl -s -X POST "https://api.example.com/soap" \
  -H "Content-Type: text/xml" \
  -d @request.xml | xq '.Envelope.Body'

Java: XML to JSON

In Java, the Jackson XML module and the org.json library are the primary tools for XML to JSON conversion. JAXB can also be used for schema-driven conversions:

// ===== Using org.json (simple conversion) =====
// Maven: org.json:json:20231013

import org.json.JSONObject;
import org.json.XML;

public class XmlToJsonExample {
    public static void main(String[] args) {
        String xml = """
            <bookstore>
              <book id="1">
                <title>Clean Code</title>
                <author>Robert C. Martin</author>
                <price>32.99</price>
              </book>
            </bookstore>
            """;

        // Simple one-line conversion
        JSONObject json = XML.toJSONObject(xml);
        System.out.println(json.toString(2));

        // With configuration
        JSONObject jsonKeepStrings = XML.toJSONObject(xml, true);
        // true = keep all values as strings (no type coercion)
    }
}

// ===== Using Jackson XML (more control) =====
// Maven: com.fasterxml.jackson.dataformat:jackson-dataformat-xml

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.xml.XmlMapper;

public class JacksonXmlExample {
    public static void main(String[] args) throws Exception {
        String xml = "<book id=\"1\"><title>Clean Code</title></book>";

        XmlMapper xmlMapper = new XmlMapper();
        JsonNode node = xmlMapper.readTree(xml.getBytes());

        ObjectMapper jsonMapper = new ObjectMapper();
        String json = jsonMapper
            .writerWithDefaultPrettyPrinter()
            .writeValueAsString(node);

        System.out.println(json);
    }
}

// ===== Secure XML parsing in Java =====

import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.XMLConstants;

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

// Prevent XXE attacks
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setFeature(
    "http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature(
    "http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature(
    "http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

JSON to XML Conversion

The reverse direction, JSON to XML conversion, presents its own set of challenges. While XML-to-JSON is generally straightforward (map elements to objects), going from JSON to XML requires making decisions about how to represent JSON constructs in XML:

Key challenges in JSON to XML conversion: JSON arrays have no direct XML equivalent and must be represented as repeated elements. JSON null values need a representation (empty element, xsi:nil, or omission). JSON booleans and numbers must be serialized as text. JSON property names may contain characters invalid in XML element names. The root element must be chosen or synthesized since JSON does not require one.

The following code examples show JSON to XML conversion in JavaScript and Python, handling arrays, nested objects, and special values:

// ===== JavaScript: JSON to XML =====

import { XMLBuilder } from 'fast-xml-parser';

const jsonData = {
  catalog: {
    product: [
      {
        '@_id': '101',
        name: 'Wireless Mouse',
        price: { '@_currency': 'USD', '#text': '29.99' },
        tags: { tag: ['wireless', 'mouse'] },
      },
      {
        '@_id': '102',
        name: 'Keyboard',
        price: { '@_currency': 'USD', '#text': '49.99' },
        tags: { tag: ['keyboard', 'mechanical'] },
      },
    ],
  },
};

const builder = new XMLBuilder({
  ignoreAttributes: false,
  attributeNamePrefix: '@_',
  textNodeName: '#text',
  format: true,           // pretty print
  indentBy: '  ',
  suppressEmptyNode: true,
});

const xml = builder.build(jsonData);
console.log(xml);

# ===== Python: JSON to XML =====

import xmltodict

json_data = {
    'catalog': {
        'product': {
            '@id': '101',
            'name': 'Wireless Mouse',
            'price': {'@currency': 'USD', '#text': '29.99'},
        }
    }
}

xml_output = xmltodict.unparse(json_data, pretty=True)
print(xml_output)
# Output:
# <?xml version="1.0" encoding="utf-8"?>
# <catalog>
#   <product id="101">
#     <name>Wireless Mouse</name>
#     <price currency="USD">29.99</price>
#   </product>
# </catalog>

Handling Edge Cases in XML to JSON Conversion

Production-grade XML to JSON converters must handle numerous edge cases that can break naive implementations. Here are the most important ones to be aware of:

XML Attributes: The most common edge case. Attributes have no JSON equivalent, so converters must choose a convention (e.g., @attr, $attr, or _attr prefix). When an element has both attributes and text content, both must be preserved: <price currency="USD">29.99</price> becomes {"price": {"@currency": "USD", "#text": "29.99"}}.

CDATA Sections: CDATA sections (<![CDATA[raw content]]>) contain unparsed text that may include characters normally reserved in XML. Most converters treat CDATA content as regular text in the JSON output, but some use a special #cdata-section key to preserve the distinction.

Namespaces: XML namespaces add complexity with prefix declarations like xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/". Converters can preserve namespaces as part of element names (soap:Envelope), strip prefixes entirely, or map namespace URIs to JSON objects. The choice depends on whether downstream consumers need namespace information.

Mixed Content: Elements containing both text and child elements, like <p>Hello <b>world</b> today</p>, are particularly challenging. The text fragments between child elements must be captured, typically using indexed #text keys or an array of mixed content nodes.

Self-Closing Tags and Empty Elements: An empty element like <br/> or <item></item> can be converted to null, an empty string "", or an empty object {}. The choice affects downstream processing. Most converters default to null or "".

Repeated Elements (Array Detection): One of the trickiest problems: <items><item>A</item></items> should produce {"items": {"item": "A"}} (a single string), but <items><item>A</item><item>B</item></items> should produce {"items": {"item": ["A", "B"]}} (an array). Without schema information, the converter only sees one element at a time and cannot know if more siblings follow. Solutions include always-array mode, schema-driven conversion, or two-pass parsing.

Whitespace Handling: Insignificant whitespace between elements (indentation, newlines) should typically be ignored, but whitespace inside text nodes is significant. The xml:space="preserve" attribute controls this behavior. Improper whitespace handling can produce unexpected empty text nodes in the JSON output.

XML Declaration and DTD: The XML declaration (<?xml version="1.0" encoding="UTF-8"?>) and DOCTYPE declarations are metadata that do not map to JSON properties. Processing instructions (<?pi target?>) are also typically dropped during conversion.

// Edge case examples: XML to JSON

// 1. Attributes + text content
// XML:  <price currency="USD">29.99</price>
// JSON: { "price": { "@currency": "USD", "#text": "29.99" } }

// 2. CDATA section
// XML:  <script><![CDATA[if (a < b) { alert("hello"); }]]></script>
// JSON: { "script": "if (a < b) { alert(\"hello\"); }" }

// 3. Namespaces
// XML:  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
//         <soap:Body><GetPrice><Item>Apple</Item></GetPrice></soap:Body>
//       </soap:Envelope>
// JSON: { "soap:Envelope": { "soap:Body": { "GetPrice": { "Item": "Apple" } } } }

// 4. Mixed content
// XML:  <p>Hello <b>world</b> today</p>
// JSON: { "p": { "#text": ["Hello ", " today"], "b": "world" } }

// 5. Self-closing / empty elements
// XML:  <br/>  OR  <item></item>
// JSON: { "br": null }  OR  { "item": "" }

// 6. Single vs multiple children (array detection)
// XML (one child):   <items><item>A</item></items>
// JSON (no array):   { "items": { "item": "A" } }
// XML (two children):<items><item>A</item><item>B</item></items>
// JSON (array):      { "items": { "item": ["A", "B"] } }
// Solution: use isArray option in fast-xml-parser or force_list in xmltodict

// 7. Whitespace preservation
// XML:  <code xml:space="preserve">  hello  world  </code>
// JSON: { "code": "  hello  world  " }

// 8. XML declaration (dropped in JSON)
// XML:  <?xml version="1.0" encoding="UTF-8"?>
// JSON: (not included in output)

XML Security Best Practices

When building an XML to JSON converter or working with any XML parser, security is paramount. XML has several well-known attack vectors that can compromise your application if not properly mitigated:

XXE (XML External Entity) Attacks: The most critical XML vulnerability. An attacker crafts an XML document with external entity declarations that reference local files or internal network resources: <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><data>&xxe;</data>. When the parser resolves the entity, it includes the file content in the parsed output. To prevent XXE: disable external entity processing in your XML parser, use defusedxml in Python, set XMLConstants.FEATURE_SECURE_PROCESSING in Java, and never pass untrusted XML to a parser with default settings.

Billion Laughs Attack (XML Bomb): A denial-of-service attack that uses nested entity expansion to consume exponential memory. The attack defines entities that reference each other recursively: entity lol9 references 10 copies of lol8, which references 10 copies of lol7, and so on. A tiny XML document can expand to gigabytes of text. Mitigation: limit entity expansion depth and total expansion size, or disable DTD processing entirely.

External Entity Injection via DTD: Even when direct XXE is blocked, attackers may use parameter entities and external DTD references to exfiltrate data. The attack fetches a malicious DTD from an attacker-controlled server, which then defines entities to send local file contents to another attacker endpoint. Prevention: disable all external DTD loading and parameter entity processing.

Secure XML Parser Configuration: Every major programming language requires explicit security configuration for XML parsers. In Python, use defusedxml.parse() instead of xml.etree.ElementTree.parse(). In Java, set features like http://apache.org/xml/features/disallow-doctype-decl to true. In JavaScript (Node.js), use fast-xml-parser with processEntities: false or configure libxmljs with noent: false. In .NET, use XmlReaderSettings with DtdProcessing.Prohibit. Always keep XML parsing libraries updated and follow the OWASP XML Security Cheat Sheet.

// ===== Secure XML parsing examples =====

// --- Python: Use defusedxml ---
# UNSAFE: xml.etree.ElementTree (vulnerable to XXE)
import xml.etree.ElementTree as ET  # DO NOT use with untrusted XML

# SAFE: defusedxml blocks all known XML attacks
import defusedxml.ElementTree as SafeET
tree = SafeET.fromstring(untrusted_xml)  # Safe!

# defusedxml blocks:
# - XML External Entity (XXE) attacks
# - Billion Laughs (entity expansion) attacks
# - External DTD retrieval
# - Decompression bombs

# --- Java: Secure DocumentBuilderFactory ---
import javax.xml.parsers.DocumentBuilderFactory;

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Disable all dangerous features
dbf.setFeature(
    "http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature(
    "http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature(
    "http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature(
    "http://apache.org/xml/features/nonvalidating/load-external-dtd",
    false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);

// --- JavaScript (Node.js): fast-xml-parser ---
import { XMLParser } from 'fast-xml-parser';

const secureParser = new XMLParser({
  // fast-xml-parser does NOT process entities by default (safe)
  processEntities: false,       // explicitly disable
  htmlEntities: false,          // don't process HTML entities
  allowBooleanAttributes: false,
});

// --- .NET: Secure XmlReaderSettings ---
// XmlReaderSettings settings = new XmlReaderSettings();
// settings.DtdProcessing = DtdProcessing.Prohibit;
// settings.XmlResolver = null;

// === Example: XXE attack payload (for awareness) ===
// This malicious XML attempts to read /etc/passwd:
//
// <?xml version="1.0"?>
// <!DOCTYPE data [
//   <!ENTITY xxe SYSTEM "file:///etc/passwd">
// ]>
// <data>&xxe;</data>
//
// A vulnerable parser would include file contents in output.
// A secure parser rejects the DOCTYPE declaration entirely.

// === Example: Billion Laughs payload ===
// This XML expands to ~3 GB of text from a few hundred bytes:
//
// <?xml version="1.0"?>
// <!DOCTYPE lolz [
//   <!ENTITY lol "lol">
//   <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
//   <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
//   ...
// ]>
// <data>&lol9;</data>

Frequently Asked Questions

What is the best way to convert XML to JSON?

The best approach depends on your language and use case. In JavaScript, fast-xml-parser is the fastest and most configurable option for xml to json conversion. In Python, xmltodict provides the simplest API with one-line conversion. For command-line use, xq (part of the yq package) converts XML to JSON directly in your terminal. For a quick one-off conversion, use an online XML to JSON converter tool. In all cases, make sure your XML parser has secure configuration to prevent XXE attacks and entity expansion vulnerabilities.

How are XML attributes handled in JSON conversion?

Since JSON has no concept of attributes, XML attributes are mapped to JSON properties using naming conventions. The most common convention prefixes attribute names with @ (e.g., @id, @class). Some converters use $ or _ prefixes instead. When an element has both attributes and text content, the text is stored in a special key like #text. For example, 29.99 becomes {"price": {"@currency": "USD", "#text": "29.99"}}. Different conventions (Badgerfish, Parker, GData) handle attributes differently, so choose one that fits your downstream data processing needs.

Is XML to JSON conversion secure? What about XXE attacks?

XML parsing can be dangerous if not configured properly. The biggest risk is XXE (XML External Entity) attacks, where malicious XML documents reference local files or internal network resources. To convert XML to JSON securely: always disable external entity processing in your XML parser, use security-focused libraries like defusedxml in Python, set FEATURE_SECURE_PROCESSING in Java, disable DTD processing when not needed, and never parse untrusted XML with default parser settings. The Billion Laughs attack is another threat that uses recursive entity expansion for denial of service. Always validate and sanitize XML input before conversion.

XML to JSON conversion is a fundamental data transformation skill for modern developers. Whether you are migrating SOAP APIs to REST, processing XML feeds, or building data pipelines, understanding the nuances of XML to JSON and JSON to XML conversion helps you handle edge cases and avoid common pitfalls. Use our free online tool for quick conversions, and follow the security best practices outlined above when processing untrusted XML in production.

Convert XML to JSON instantly with our free online tool. | XML Formatter | JSON Formatter