htsbuf_append_and_escape_xml: filter out invalid XML 1.0 characters, fixes #3942

diff --git a/src/htsbuf.c b/src/htsbuf.c
index a67583f40a9a35e5e9c9c218405943f63a96f50e..446c37791f6e6a95741bd1e8f0c29326859c8ff2 100644 (file)
--- a/src/htsbuf.c
+++ b/src/htsbuf.c
@@ -352,12 +352,16 @@ htsbuf_append_and_escape_xml(htsbuf_queue_t *hq, const char *s)
 {
   const char *c = s;
   const char *e = s + strlen(s);
+  const char *esc;
+  int h;
+
   if(e == s)
     return;
 
   while(1) {
-    const char *esc;
-    switch(*c++) {
+    h = *c++;
+
+    switch(h) {
     case '<':  esc = "&lt;";   break;
     case '>':  esc = "&gt;";   break;
     case '&':  esc = "&amp;";  break;
@@ -370,6 +374,10 @@ htsbuf_append_and_escape_xml(htsbuf_queue_t *hq, const char *s)
       htsbuf_append(hq, s, c - s - 1);
       htsbuf_append_str(hq, esc);
       s = c;
+    } else if (h < 0x20 && h != 0x09 && h != 0x0a && h != 0x0d) {
+      /* allow XML 1.0 valid characters only */
+      htsbuf_append(hq, s, c - s - 1);
+      s = c;
     }
     
     if(c == e) {