BOSH: XML CDATA is not properly escaped #203

madprogrammer · 2014-05-23T09:44:03Z

In mod_bosh.erl, a call is made to exml:to_binary, without first escaping XML CDATA content. In exml/src/exml.erl a comment states that "it's caller's responsibility to make sure that #xmlcdata's content is escaped properly".

As a result, invalid XML is produced in case if a tag contains special chars like "&" in its body. This example will reproduce the error:

<iq type="set" id="4">
  <query xmlns="jabber:iq:private">
  <TestPrivate xmlns="some:private:data">Test with an &amp;</TestPrivate>
  </query>
</iq>

Executing a "get" IQ over BOSH will return the following reply

<iq from='bot@localhost' to='bot@localhost/test' id='4' type='result'>
  <query xmlns='jabber:iq:private'>
  <TestPrivate xmlns="some:private:data">Test with an &</TestPrivate>
  </query>
</iq>

Notice how the "&" is not properly escaped in the BOSH reply. Other places where exml:to_binary is used to convert {xmlel, ...} into binary string may also be affected by similar issue.

The text was updated successfully, but these errors were encountered:

michalwski · 2014-05-23T09:51:03Z

Thanks for catching this bug!

erszcz added the bug label May 23, 2014

michalwski mentioned this issue May 23, 2014

Special characters in tag's content esl/ejabberd_tests#54

Closed

michalwski mentioned this issue Jun 12, 2014

Various fixes/changes #216

Merged

michalwski closed this as completed in 2a27eec Jun 18, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BOSH: XML CDATA is not properly escaped #203

BOSH: XML CDATA is not properly escaped #203

madprogrammer commented May 23, 2014

michalwski commented May 23, 2014

BOSH: XML CDATA is not properly escaped #203

BOSH: XML CDATA is not properly escaped #203

Comments

madprogrammer commented May 23, 2014

michalwski commented May 23, 2014