From fc8b65e29f54c5d3a4cbe7468c7ffa921637e20d Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Fri, 14 May 2021 11:20:24 +0200
Subject: [PATCH] =?UTF-8?q?Escape=20XML=20using=20&=E2=80=A6;?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Escape special markup characters using the method described here:
https://www.w3.org/TR/REC-xml/#syntax
---
 Prelude/XML/render.dhall | 26 ++++++++++++++------------
 Prelude/package.dhall    |  2 +-
 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/Prelude/XML/render.dhall b/Prelude/XML/render.dhall
index ff07a8021..10652cbd0 100644
--- a/Prelude/XML/render.dhall
+++ b/Prelude/XML/render.dhall
@@ -1,10 +1,6 @@
 {-|
 Render an `XML` value as `Text`
 
-*WARNING:* rendering does not include any XML injection mitigations,
-therefore it should not be used to process arbitrary strings into
-element attributes or element data.
-
 For indentation and schema validation, see the `xmllint` utility
 bundled with libxml2.
 
@@ -48,15 +44,23 @@ let emptyAttributes =
 
 let Attr = { mapKey : Text, mapValue : Text }
 
-let `escape"` = Text/replace "\"" "\\\""
+let esc = λ(x : Text) → λ(y : Text) → Text/replace x "&${y};"
+
+let `escape&` = esc "&" "amp"
+
+let `escape<` = esc "<" "lt"
+
+let `escape>` = esc ">" "gt"
+
+let `escape'` = esc "'" "apos"
 
-let `escape<` = Text/replace "<" "\\<"
+let `escape"` = esc "\"" "quot"
 
-let `escape&` = Text/replace "&" "\\&"
+let escapeCommon = λ(text : Text) → `escape<` (`escape&` text)
 
-let escapeText = λ(text : Text) → `escape<` (`escape&` text)
+let escapeAttr = λ(text : Text) → `escape"` (`escape'` (escapeCommon text))
 
-let escapeAttr = λ(text : Text) → `escape"` (`escape<` (`escape&` text))
+let escapeText = λ(text : Text) → `escape>` (escapeCommon text)
 
 let renderAttr = λ(x : Attr) → " ${x.mapKey}=\"${escapeAttr x.mapValue}\""
 
@@ -123,9 +127,7 @@ let example1 =
             "\n"
             ""
             ''
-            <escape attribute="\<>'\"\&">
-            \<>'"\&
-            </escape>
+            <escape attribute="&lt;>&apos;&quot;&amp;">&lt;&gt;'"&amp;</escape>
             ''
 
 in  render
diff --git a/Prelude/package.dhall b/Prelude/package.dhall
index b38fae1e9..faa364093 100644
--- a/Prelude/package.dhall
+++ b/Prelude/package.dhall
@@ -38,6 +38,6 @@
       ./Text/package.dhall sha256:17a0e0e881b05436d7e3ae94a658af9da5ba2a921fafa0d1d545890978853434
     ? ./Text/package.dhall
 , XML =
-      ./XML/package.dhall sha256:8f57bda3087cbb34568d58e5dd5ee6860a50576caf48ebe49a5fc60b9af9a1fa
+      ./XML/package.dhall sha256:6a15ea2ab1918f97374ec2fe3b90c056fb807fb3a90c1c44ce9fb9233f59c0e5
     ? ./XML/package.dhall
 }