rpms / libappstream-glib

Clone
Source Code
GIT

Files

  1.   dad16fe3ded903043b8add55cd89775b5ccd262b
  2.   0001-Never-include-in-attribute-values.patch
Blob Blame History Raw 
From 6048520484101df5d33f3c852c10640e630d20cf Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Tue, 30 Jan 2018 23:03:59 +0000
Subject: [PATCH] Never include '&' in attribute values

Fixes: https://github.com/hughsie/lvfs-website/issues/33
---
 libappstream-glib/as-node.c      | 7 ++++++-
 libappstream-glib/as-self-test.c | 6 +++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/libappstream-glib/as-node.c b/libappstream-glib/as-node.c
index f8199a9..945c465 100644
--- a/libappstream-glib/as-node.c
+++ b/libappstream-glib/as-node.c
@@ -327,12 +327,17 @@ as_node_get_attr_string (AsNodeData *data)
 
 	str = g_string_new ("");
 	for (l = data->attrs; l != NULL; l = l->next) {
+		g_autoptr(GString) value_safe = NULL;
 		attr = l->data;
 		if (g_strcmp0 (attr->key, "@comment") == 0 ||
 		    g_strcmp0 (attr->key, "@comment-tmp") == 0)
 			continue;
+		value_safe = g_string_new (attr->value);
+		as_utils_string_replace (value_safe, "&", "&amp;");
+		as_utils_string_replace (value_safe, "<", "&lt;");
+		as_utils_string_replace (value_safe, ">", "&gt;");
 		g_string_append_printf (str, " %s=\"%s\"",
-					attr->key, attr->value);
+					attr->key, value_safe->str);
 	}
 	return g_string_free (str, FALSE);
 }
diff --git a/libappstream-glib/as-self-test.c b/libappstream-glib/as-self-test.c
index 9800c03..fb4ccf8 100644
--- a/libappstream-glib/as-self-test.c
+++ b/libappstream-glib/as-self-test.c
@@ -1047,7 +1047,7 @@ as_test_checksum_func (void)
 	AsNode *n;
 	AsNode *root;
 	GString *xml;
-	const gchar *src = "<checksum type=\"sha1\" filename=\"fn.cab\" target=\"container\">12345</checksum>";
+	const gchar *src = "<checksum type=\"sha1\" filename=\"f&amp;n.cab\" target=\"container\">12&amp;45</checksum>";
 	gboolean ret;
 	g_autoptr(AsNodeContext) ctx = NULL;
 	g_autoptr(AsChecksum) csum = NULL;
@@ -1077,8 +1077,8 @@ as_test_checksum_func (void)
 	/* verify */
 	g_assert_cmpint (as_checksum_get_kind (csum), ==, G_CHECKSUM_SHA1);
 	g_assert_cmpint (as_checksum_get_target (csum), ==, AS_CHECKSUM_TARGET_CONTAINER);
-	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "fn.cab");
-	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12345");
+	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "f&n.cab");
+	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12&45");
 
 	/* back to node */
 	root = as_node_new ();
-- 
2.14.3
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.