Escape XML using &…;

Escape special markup characters using the method described here: https://www.w3.org/TR/REC-xml/#syntax
dhall-lang · May 14, 2021 · fc8b65e · fc8b65e
1 parent 1e0bb48
commit fc8b65e
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/Prelude/XML/render.dhall b/Prelude/XML/render.dhall
@@ -1,10 +1,6 @@
 {-|
 Render an `XML` value as `Text`
 
-*WARNING:* rendering does not include any XML injection mitigations,
-therefore it should not be used to process arbitrary strings into
-element attributes or element data.
-
 For indentation and schema validation, see the `xmllint` utility
 bundled with libxml2.
 
@@ -48,15 +44,23 @@ let emptyAttributes =
 
 let Attr = { mapKey : Text, mapValue : Text }
 
-let `escape"` = Text/replace "\"" "\\\""
+let esc = λ(x : Text) → λ(y : Text) → Text/replace x "&${y};"
+
+let `escape&` = esc "&" "amp"
+
+let `escape<` = esc "<" "lt"
+
+let `escape>` = esc ">" "gt"
+
+let `escape'` = esc "'" "apos"
 
-let `escape<` = Text/replace "<" "\\<"
+let `escape"` = esc "\"" "quot"
 
-let `escape&` = Text/replace "&" "\\&"
+let escapeCommon = λ(text : Text) → `escape<` (`escape&` text)
 
-let escapeText = λ(text : Text) → `escape<` (`escape&` text)
+let escapeAttr = λ(text : Text) → `escape"` (`escape'` (escapeCommon text))
 
-let escapeAttr = λ(text : Text) → `escape"` (`escape<` (`escape&` text))
+let escapeText = λ(text : Text) → `escape>` (escapeCommon text)
 
 let renderAttr = λ(x : Attr) → " ${x.mapKey}=\"${escapeAttr x.mapValue}\""
 
@@ -123,9 +127,7 @@ let example1 =
             "\n"
             ""
             ''
-            <escape attribute="\<>'\"\&">
-            \<>'"\&
-            </escape>
+            <escape attribute="&lt;>&apos;&quot;&amp;">&lt;&gt;'"&amp;</escape>
             ''
 
 in  render
diff --git a/Prelude/package.dhall b/Prelude/package.dhall
@@ -38,6 +38,6 @@
       ./Text/package.dhall sha256:17a0e0e881b05436d7e3ae94a658af9da5ba2a921fafa0d1d545890978853434
     ? ./Text/package.dhall
 , XML =
-      ./XML/package.dhall sha256:8f57bda3087cbb34568d58e5dd5ee6860a50576caf48ebe49a5fc60b9af9a1fa
+      ./XML/package.dhall sha256:6a15ea2ab1918f97374ec2fe3b90c056fb807fb3a90c1c44ce9fb9233f59c0e5
     ? ./XML/package.dhall
 }