From f902a335f9063eea32ffa13d35df7d38a0299d90 Mon Sep 17 00:00:00 2001 From: Eugen Date: Sun, 16 Apr 2017 20:32:27 +0200 Subject: Fix #1870 - Strip control characters out of strings in AtomSerializer (#1876) * Fix #1870 - Strip control characters out of strings in AtomSerializer * Adjust according to comment by @alpaca-tc --- app/lib/atom_serializer.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'app') diff --git a/app/lib/atom_serializer.rb b/app/lib/atom_serializer.rb index 6f1910440..4e4031bba 100644 --- a/app/lib/atom_serializer.rb +++ b/app/lib/atom_serializer.rb @@ -3,6 +3,8 @@ class AtomSerializer include RoutingHelper + INVALID_XML_CHARS = /[^\u0009\u000a\u000d\u0020-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]/ + class << self def render(element) document = Ox::Document.new(version: '1.0') @@ -311,11 +313,15 @@ class AtomSerializer def append_element(parent, name, content = nil, attributes = {}) element = Ox::Element.new(name) - attributes.each { |k, v| element[k] = v.to_s } - element << content.to_s unless content.nil? + attributes.each { |k, v| element[k] = sanitize_str(v) } + element << sanitize_str(content) unless content.nil? parent << element end + def sanitize_str(raw_str) + raw_str.to_s.gsub(INVALID_XML_CHARS, '') + end + def add_namespaces(parent) parent['xmlns'] = TagManager::XMLNS parent['xmlns:thr'] = TagManager::THR_XMLNS -- cgit