Software `/` code `/` prosody

Comparison

util/xml.lua @ 12202:ebeb4d959fb3 0.11 0.11.13

util.xml: Deduplicate handlers for restricted XML Makes the code more like util.xmppstream, allowing easier comparisons if we ever need to apply fixes in the future.

author	Kim Alvefur <zash@zash.se>
date	Thu, 20 Jan 2022 10:51:46 +0100
parent	12201:e5e0ab93d7f4
child	12203:320de3e4b579

comparison

equal deleted inserted replaced

-:e5e0ab93d7f4
+:ebeb4d959fb3
 		end
 		function handler:EndElement()
 			stanza:up();
 		end
 		-- SECURITY: These two handlers, especially the Doctype one, are required to prevent exploits such as Billion Laughs.
-		function handler:StartDoctypeDecl()
+		local function restricted_handler(parser)
-			if not self.stop or not self:stop() then
+			if not parser.stop or not parser:stop() then
 				error("Failed to abort parsing");
 			end
 		end
-		function handler:ProcessingInstruction()
+		handler.StartDoctypeDecl = restricted_handler;
-			if not self.stop or not self:stop() then
+		handler.ProcessingInstruction = restricted_handler;
-				error("Failed to abort parsing");
-			end
-		end
 		if not options or not options.allow_comments then
 			-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
-			function handler:Comment()
+			handler.Comment = restricted_handler;
-				if not self.stop or not self:stop() then
-					error("Failed to abort parsing");
-				end
-			end
 		end
 		local parser = lxp.new(handler, ns_separator);
 		local ok, err, line, col = parser:parse(xml);
 		if ok then ok, err, line, col = parser:parse(); end
 		--parser:close();

prosody

ebeb4d959fb3

util/xml.lua

Software / code / prosody

Comparison

util/xml.lua @ 12202:ebeb4d959fb3 0.11 0.11.13

Software `/` code `/` prosody