Software / code / prosody
Diff
util/stanza.lua @ 11205:9d1e21c23784 0.11
util.stanza: Reject ASCII control characters (fixes #1606)
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 11 Nov 2020 16:00:41 +0100 |
| parent | 9674:6f97acc4583b |
| child | 11206:f051394762ff |
| child | 11261:be38ae8fdfa5 |
line wrap: on
line diff
--- a/util/stanza.lua Fri Nov 06 13:49:40 2020 +0100 +++ b/util/stanza.lua Wed Nov 11 16:00:41 2020 +0100 @@ -45,6 +45,10 @@ local stanza_mt = { __name = "stanza" }; stanza_mt.__index = stanza_mt; +local function valid_xml_cdata(str, attr) + return not s_find(str, attr and "[^\1\9\10\13\20-~\128-\247]" or "[^\9\10\13\20-~\128-\247]"); +end + local function check_name(name, name_type) if type(name) ~= "string" then error("invalid "..name_type.." name: expected string, got "..type(name)); @@ -52,6 +56,8 @@ error("invalid "..name_type.." name: empty string"); elseif s_find(name, "[<>& '\"]") then error("invalid "..name_type.." name: contains invalid characters"); + elseif not valid_xml_cdata(name, name_type == "attribute") then + error("invalid "..name_type.." name: contains control characters"); elseif not valid_utf8(name) then error("invalid "..name_type.." name: contains invalid utf8"); end @@ -60,7 +66,9 @@ local function check_text(text, text_type) if type(text) ~= "string" then error("invalid "..text_type.." value: expected string, got "..type(text)); - elseif not valid_utf8(text) then + elseif not valid_xml_cdata(text) then + error("invalid "..text_type.." value: contains control characters"); + elseif not valid_utf8(text, false) then error("invalid "..text_type.." value: contains invalid utf8"); end end
