Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backslash escaping of CR in XML output #1648

nnposter opened this issue Jun 26, 2019 · 1 comment


Copy link

commented Jun 26, 2019

Any CR characters in script output are backslash-escaped in XML output, while LFs are not:

<elem key="output">No LSB modules are available.\x0D&#xa;Distributor ID:&#x9;Ubuntu\x0D&#xa;Description:&#x9;Ubuntu 16.04.6 LTS\x0D&#xa;Release:&#x9;16.04\x0D&#xa;Codename:&#x9;xenial\x0D&#xa;</elem>

The patch below rectifies the issue, treating CRs just like LFs:

<elem key="output">No LSB modules are available.&#xd;&#xa;Distributor ID:&#x9;Ubuntu&#xd;&#xa;Description:&#x9;Ubuntu 16.04.6 LTS&#xd;&#xa;Release:&#x9;16.04&#xd;&#xa;Codename:&#x9;xenial&#xd;&#xa;</elem>
* Prevents backslash-escaping of CR characters in XML output
--- a/
+++ b/
@@ -493,8 +493,21 @@
    xml_write_escaped is not enough; some characters are not allowed to appear in
    XML, not even escaped. */
 std::string protect_xml(const std::string s) {
-  /* escape_for_screen is good enough. */
-  return escape_for_screen(s);
+  std::string r;
+  for (unsigned int i = 0; i < s.size(); i++) {
+    char buf[5];
+    unsigned char c = s[i];
+    // Printable and some whitespace ok.
+    if (c == '\t' || c == '\r' || c == '\n' || (0x20 <= c && c <= 0x7e)) {
+      r += c;
+    } else {
+      Snprintf(buf, sizeof(buf), "\\x%02X", c);
+      r += buf;
+    }
+  }
+  return r;
 /* This is a helper function to determine the ordering of the script results

This comment has been minimized.

Copy link

commented Jun 30, 2019

The code will be committed on or after July 15 unless concerns are raised.

@nmap-bot nmap-bot closed this in 7e9cf65 Jul 21, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.