[GEOS-11152] Improve handling special characters in the Simple SVG Renderer

[sikeoka]

This PR updates the Simple SVG renderer to properly escape special characters from GeoServer catalog information.
NOTE: This PR only updates code that could be executed through actual GeoServer WMS GetMap requests and ignores any potential issues in dead code.

Checklist

• I have read the contribution guidelines.
• I have sent a Contribution Licence Agreement (not required for small changes, e.g., fixing typos in documentation).
• First PR targets the main branch (backports managed later; ignore for branch specific issues).
• All the build checks are green (see automated QA checks).

For core and extension modules:

• New unit tests have been added covering the changes.
• Documentation has been updated (if change is visible to end users).
• The REST API docs have been updated (when changing configuration objects or the REST controllers).
• There is an issue in the GeoServer Jira (except for changes that do not affect administrators or end users in any way).
• Commit message(s) must be in the form [GEOS-XYZWV] Title of the Jira ticket.
• Bug fixes and small new features are presented as a single commit.
• Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

[aaime]

Is SVGWriter.encodeAttribute as good as StringEscapeUtils?
Also, groupId is basically the type name... why bother about the type name (admin configured) but not about the attribute names, in SVGWriter.startFeature?

[sikeoka]

SVGWriter.encodeAttribute doesn't exist. There is a AttributesSVGHandler.encodeAttribute but that is a private non-static method on a non-static inner class of SVGWriter and, even though it would prevent injection, it may not actually guarantee valid XML output.
SVGWriter has a lot dead code and I only updated code that could actually be run in a live GeoServer.

[sikeoka]

These are examples of where a lot of the SVGWriter functionality gets commented out:
https://github.com/geoserver/geoserver/blob/main/src/wms/src/main/java/org/geoserver/wms/svg/SVGWriter.java#L142
https://github.com/geoserver/geoserver/blob/main/src/wms/src/main/java/org/geoserver/wms/svg/SVGWriter.java#L208
https://github.com/geoserver/geoserver/blob/main/src/wms/src/main/java/org/geoserver/wms/svg/SVGWriter.java#L250

[groldan]

oh my! What an oldie! that was the very first WMS output format, even before any raster image one IIRC.
There was no pull-push XML API by then, SAX sucked for streaming, and DOM wasn't an option.
You're not up for a re-write using StAX, aren't you?
Glad to see someone is using it though.

[aaime]

The backport to 2.23.x failed:

The process '/usr/bin/git' failed with exit code 1

stderr

error: could not apply da8046ab01... [GEOS-11152] Improve handling special characters in the Simple SVG Renderer
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".

stdout

Auto-merging src/wms/src/main/java/org/geoserver/wms/svg/StreamingSVGMap.java
Auto-merging src/wms/src/test/java/org/geoserver/wms/svg/SVGMapProducerTest.java
CONFLICT (content): Merge conflict in src/wms/src/test/java/org/geoserver/wms/svg/SVGMapProducerTest.java

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.23.x 2.23.x
# Navigate to the new working tree
cd .worktrees/backport-2.23.x
# Create a new branch
git switch --create backport-7173-to-2.23.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick da8046ab019dd5e65c8d440ddfeafefe0f7193d4
# Push it to GitHub
git push --set-upstream origin backport-7173-to-2.23.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.23.x

Then, create a pull request where the base branch is 2.23.x and the compare/head branch is backport-7173-to-2.23.x.

[aaime]

Eventual backport to 2.23.x will have to be manual