Commit 6a2240f5 authored by louiz’'s avatar louiz’

Properly sanitize everything in the XML we send to the XMPP server

in this order:
- Make sure it is utf-8 encoded
- Remove all chars that are invalid in XML
- Escape all XML special chars (&'"<>)
parent 53e6b1da
......@@ -218,13 +218,12 @@ std::string XmlNode::to_string() const
std::string res("<");
res += this->name;
for (const auto& it: this->attributes)
res += " " + utils::remove_invalid_xml_chars(it.first) + "='" +
utils::remove_invalid_xml_chars(it.second) + "'";
res += " " + it.first + "='" + sanitize(it.second) + "'";
if (this->closed && !this->has_children() && this->inner.empty())
res += "/>";
else
{
res += ">" + utils::remove_invalid_xml_chars(this->inner);
res += ">" + sanitize(this->inner);
for (const auto& child: this->children)
res += child->to_string();
if (this->closed)
......@@ -232,7 +231,7 @@ std::string XmlNode::to_string() const
res += "</" + this->get_name() + ">";
}
}
res += utils::remove_invalid_xml_chars(this->tail);
res += sanitize(this->tail);
return res;
}
......@@ -265,3 +264,11 @@ std::string& XmlNode::operator[](const std::string& name)
{
return this->attributes[name];
}
std::string sanitize(const std::string& data)
{
if (utils::is_valid_utf8(data.data()))
return xml_escape(utils::remove_invalid_xml_chars(data));
else
return xml_escape(utils::remove_invalid_xml_chars(utils::convert_to_utf8(data, "ISO-8859-1")));
}
......@@ -7,6 +7,7 @@
std::string xml_escape(const std::string& data);
std::string xml_unescape(const std::string& data);
std::string sanitize(const std::string& data);
/**
* Represent an XML node. It has
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment