Escape XML using &…; (#1174)

Escape special markup characters using the method described here: https://www.w3.org/TR/REC-xml/#syntax
dhall-lang · May 20, 2021 · 5e14eea · 5e14eea
1 parent 2547fe7
commit 5e14eea
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 15 deletions.
diff --git a/Prelude/XML/package.dhall b/Prelude/XML/package.dhall
@@ -5,7 +5,7 @@
       ./attribute.dhall sha256:f7b6c802ca5764d03d5e9a6e48d9cb167c01392f775d9c2c87b83cdaa60ea0cc
     ? ./attribute.dhall
 , render =
-      ./render.dhall sha256:aff7efe61ce299381edca023e24bb5aaa0656c41bfa45dd705dab63519b7c5db
+      ./render.dhall sha256:550c8900fe199b83d629181d53c646f2f9425d9c64670dabb30d28e95bfa4c75
     ? ./render.dhall
 , element =
       ./element.dhall sha256:e0b948053c8cd8ccca9c39244d89e3f42db43d222531c18151551dfc75208b4b

diff --git a/Prelude/XML/render b/Prelude/XML/render
@@ -1,2 +1,2 @@
-  ./render.dhall sha256:aff7efe61ce299381edca023e24bb5aaa0656c41bfa45dd705dab63519b7c5db
+  ./render.dhall sha256:550c8900fe199b83d629181d53c646f2f9425d9c64670dabb30d28e95bfa4c75
 ? ./render.dhall
diff --git a/Prelude/XML/render.dhall b/Prelude/XML/render.dhall
@@ -1,10 +1,6 @@
 {-|
 Render an `XML` value as `Text`
 
-*WARNING:* rendering does not include any XML injection mitigations,
-therefore it should not be used to process arbitrary strings into
-element attributes or element data.
-
 For indentation and schema validation, see the `xmllint` utility
 bundled with libxml2.
 
@@ -48,15 +44,23 @@ let emptyAttributes =
 
 let Attr = { mapKey : Text, mapValue : Text }
 
-let `escape"` = Text/replace "\"" "\\\""
+let esc = λ(x : Text) → λ(y : Text) → Text/replace x "&${y};"
+
+let `escape&` = esc "&" "amp"
+
+let `escape<` = esc "<" "lt"
+
+let `escape>` = esc ">" "gt"
+
+let `escape'` = esc "'" "apos"
 
-let `escape<` = Text/replace "<" "\\<"
+let `escape"` = esc "\"" "quot"
 
-let `escape&` = Text/replace "&" "\\&"
+let escapeCommon = λ(text : Text) → `escape<` (`escape&` text)
 
-let escapeText = λ(text : Text) → `escape<` (`escape&` text)
+let escapeAttr = λ(text : Text) → `escape"` (`escape'` (escapeCommon text))
 
-let escapeAttr = λ(text : Text) → `escape"` (`escape<` (`escape&` text))
+let escapeText = λ(text : Text) → `escape>` (escapeCommon text)
 
 let renderAttr = λ(x : Attr) → " ${x.mapKey}=\"${escapeAttr x.mapValue}\""
 
@@ -123,9 +127,7 @@ let example1 =
             "\n"
             ""
             ''
-            <escape attribute="\<>'\"\&">
-            \<>'"\&
-            </escape>
+            <escape attribute="&lt;>&apos;&quot;&amp;">&lt;&gt;'"&amp;</escape>
             ''
 
 in  render
diff --git a/Prelude/package.dhall b/Prelude/package.dhall
@@ -38,6 +38,6 @@
       ./Text/package.dhall sha256:17a0e0e881b05436d7e3ae94a658af9da5ba2a921fafa0d1d545890978853434
     ? ./Text/package.dhall
 , XML =
-      ./XML/package.dhall sha256:8f57bda3087cbb34568d58e5dd5ee6860a50576caf48ebe49a5fc60b9af9a1fa
+      ./XML/package.dhall sha256:6a15ea2ab1918f97374ec2fe3b90c056fb807fb3a90c1c44ce9fb9233f59c0e5
     ? ./XML/package.dhall
 }