Diff

util/stanza.lua @ 8599:62bfc85a53c8

util.stanza: Add stricter validation for data passed to stanza builder API
author Matthew Wild <mwild1@gmail.com>
date Fri, 16 Mar 2018 14:51:24 +0000
parent 8555:4f0f5b49bb03
child 8626:20532f191f8d
line wrap: on
line diff
--- a/util/stanza.lua	Fri Mar 16 14:50:28 2018 +0000
+++ b/util/stanza.lua	Fri Mar 16 14:51:24 2018 +0000
@@ -7,6 +7,7 @@
 --
 
 
+local assert        =        assert;
 local t_insert      =  table.insert;
 local t_remove      =  table.remove;
 local t_concat      =  table.concat;
@@ -23,6 +24,8 @@
 local s_find        =   string.find;
 local os            =            os;
 
+local valid_utf8 = require "util.encodings".utf8.valid;
+
 local do_pretty_printing = not os.getenv("WINDIR");
 local getstyle, getstring;
 if do_pretty_printing then
@@ -42,7 +45,32 @@
 local stanza_mt = { __name = "stanza" };
 stanza_mt.__index = stanza_mt;
 
+local function check_name(name)
+	assert(type(name) == "string", "tag name is not a string, "..type(name));
+	assert(#name > 0, "tag name is empty");
+	assert(not s_find(name, "[<>& '\"]"), "tag name contains invalid characters");
+	assert(valid_utf8(name), "tag name is invalid utf8");
+end
+local function check_attr(attr)
+	if attr ~= nil then
+		assert(type(attr) == "table", "attribute is not a table");
+		for k, v in pairs(attr) do
+			assert(type(k) == "string", "non-string key in attributes");
+			assert(valid_utf8(k), "attribute name is not valid utf8");
+			assert(type(v) == "string", "non-string value in attributes");
+			assert(valid_utf8(v), "attribute value is not valid utf8");
+		end
+	end
+end
+local function check_text(text)
+	assert(type(text) == "string", "text is not a string");
+	assert(valid_utf8(text), "text is not valid utf8");
+end
+
 local function new_stanza(name, attr, namespaces)
+	assert(name)
+	check_name(name);
+	check_attr(attr);
 	local stanza = { name = name, attr = attr or {}, namespaces = namespaces, tags = {} };
 	return setmetatable(stanza, stanza_mt);
 end
@@ -69,6 +97,7 @@
 end
 
 function stanza_mt:text(text)
+	check_text(text);
 	local last_add = self.last_add;
 	(last_add and last_add[#last_add] or self):add_direct_child(text);
 	return self;