From: Jaroslav Kysela <perex@perex.cz>
Date: Sat, 20 Aug 2016 15:14:47 +0000 (+0200)
Subject: htsbuf_append_and_escape_xml: filter out invalid XML 1.0 characters, fixes #3942
X-Git-Tag: v4.2.1~356
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3de32442508aca18d7d53c6badbaa9c3bfc77242;p=thirdparty%2Ftvheadend.git

htsbuf_append_and_escape_xml: filter out invalid XML 1.0 characters, fixes #3942
---

diff --git a/src/htsbuf.c b/src/htsbuf.c
index a67583f40..446c37791 100644
--- a/src/htsbuf.c
+++ b/src/htsbuf.c
@@ -352,12 +352,16 @@ htsbuf_append_and_escape_xml(htsbuf_queue_t *hq, const char *s)
 {
   const char *c = s;
   const char *e = s + strlen(s);
+  const char *esc;
+  int h;
+
   if(e == s)
     return;
 
   while(1) {
-    const char *esc;
-    switch(*c++) {
+    h = *c++;
+
+    switch(h) {
     case '<':  esc = "&lt;";   break;
     case '>':  esc = "&gt;";   break;
     case '&':  esc = "&amp;";  break;
@@ -370,6 +374,10 @@ htsbuf_append_and_escape_xml(htsbuf_queue_t *hq, const char *s)
       htsbuf_append(hq, s, c - s - 1);
       htsbuf_append_str(hq, esc);
       s = c;
+    } else if (h < 0x20 && h != 0x09 && h != 0x0a && h != 0x0d) {
+      /* allow XML 1.0 valid characters only */
+      htsbuf_append(hq, s, c - s - 1);
+      s = c;
     }
     
     if(c == e) {