Output containing reserved characters isn't escaped allowing invalid JSON and XML

[brooksdavis]

Some code we were running that used libxo added single quote characters to a string that ended up in a value (via a few levels of indirection) and we were surprised to find that invalid XML was produced. It would be helpful if libxo did this for us or at a minimum least provided a simple vis(3) like function that did the escaping required for the current format mode.

In our case I ended up using a strsnvis() to blindly encode XML and JSON special characters.

[philshafer]

Do you have some example code? My goal is definitely to prevent generation of invalid xml/json wherever possible.

Thanks,
Phil

On Apr 20, 2015, at 4:11 PM, Brooks Davis notifications@github.com wrote:

Some code we were running that used libxo added single quote characters to a string that ended up in a value (via a few levels of indirection) and we were surprised to find that invalid XML was produced. It would be helpful if libxo did this for us or at a minimum least provided a simple vis(3) like function that did the escaping required for the current format mode.

In our case I ended up using a strsnvis() to blindly encode XML and JSON special characters.

—
Reply to this email directly or view it on GitHub #35.

[brooksdavis]

I wrote some code and then realized the person who reported the issues to me was wrong. You are escaping < > and &. ' and " have encodings, but don't need to be encoded and I now think libxo is doing the right thing. Sorry for the noise.

[philshafer]

No problem. Always happy for non-problems. ;^)

Can I ask what the app is?

Thanks,
Phil

On Apr 20, 2015, at 4:20 PM, Brooks Davis notifications@github.com wrote:

I wrote some code and then realized the person who reported the issues to me was wrong. You are escaping < > and &. ' and " have encodings, but don't need to be encoded and I now think libxo is doing the right thing. Sorry for the noise.

—
Reply to this email directly or view it on GitHub #35 (comment).

[brooksdavis]

It's a unit test program used in our fork of FreeBSD support the CHERI processor which has hardware enforced memory safety and fast hardware supported application compartmentalization.

The test program is in github at:
https://github.com/CTSRD-CHERI/cheribsd/tree/master/bin/cheritest

Project info at http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/

The SOAAP component of the project also uses libxo to produce structured output from LLVM/Clang, but I'm enough out of the loop there that I don't know exactly what it's used for.

[philshafer]

Awesome! Thanks…

On Apr 20, 2015, at 4:27 PM, Brooks Davis notifications@github.com wrote:

It's a unit test program used in our fork of FreeBSD support the CHERI processor which has hardware enforced memory safety and fast hardware supported application compartmentalization.

The test program is in github at:
https://github.com/CTSRD-CHERI/cheribsd/tree/master/bin/cheritest https://github.com/CTSRD-CHERI/cheribsd/tree/master/bin/cheritest
Project info at http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
The SOAAP component of the project also uses libxo to produce structured output from LLVM/Clang, but I'm enough out of the loop there that I don't know exactly what it's used for.

—
Reply to this email directly or view it on GitHub #35 (comment).