~singpolyma/biboumi

6a2240f5935a4608e651a33c39219e912c9ea9ba — Florent Le Coz 9 years ago 53e6b1d
Properly sanitize everything in the XML we send to the XMPP server

in this order:
- Make sure it is utf-8 encoded
- Remove all chars that are invalid in XML
- Escape all XML special chars (&'"<>)
2 files changed, 12 insertions(+), 4 deletions(-)

M src/xmpp/xmpp_stanza.cpp
M src/xmpp/xmpp_stanza.hpp
M src/xmpp/xmpp_stanza.cpp => src/xmpp/xmpp_stanza.cpp +11 -4
@@ 218,13 218,12 @@ std::string XmlNode::to_string() const
  std::string res("<");
  res += this->name;
  for (const auto& it: this->attributes)
    res += " " + utils::remove_invalid_xml_chars(it.first) + "='" +
      utils::remove_invalid_xml_chars(it.second) + "'";
    res += " " + it.first + "='" + sanitize(it.second) + "'";
  if (this->closed && !this->has_children() && this->inner.empty())
    res += "/>";
  else
    {
      res += ">" + utils::remove_invalid_xml_chars(this->inner);
      res += ">" + sanitize(this->inner);
      for (const auto& child: this->children)
        res += child->to_string();
      if (this->closed)


@@ 232,7 231,7 @@ std::string XmlNode::to_string() const
          res += "</" + this->get_name() + ">";
        }
    }
  res += utils::remove_invalid_xml_chars(this->tail);
  res += sanitize(this->tail);
  return res;
}



@@ 265,3 264,11 @@ std::string& XmlNode::operator[](const std::string& name)
{
  return this->attributes[name];
}

std::string sanitize(const std::string& data)
{
  if (utils::is_valid_utf8(data.data()))
    return xml_escape(utils::remove_invalid_xml_chars(data));
  else
    return xml_escape(utils::remove_invalid_xml_chars(utils::convert_to_utf8(data, "ISO-8859-1")));
}

M src/xmpp/xmpp_stanza.hpp => src/xmpp/xmpp_stanza.hpp +1 -0
@@ 7,6 7,7 @@

std::string xml_escape(const std::string& data);
std::string xml_unescape(const std::string& data);
std::string sanitize(const std::string& data);

/**
 * Represent an XML node. It has