Xml entity escape (#523)

* fix escaping of character entities in XML e.g. & in a url in an attribute should become & in XML * linting * tests * fix entity escaping to only escape tag attributes * use xml-escape npm module
tngan · Feb 23, 2024 · 14055ff · 14055ff
1 parent 522b240
commit 14055ff
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -40,6 +40,7 @@
     "uuid": "^8.3.2",
     "xml": "^1.0.1",
     "xml-crypto": "^3.0.1",
+    "xml-escape": "^1.1.0",
     "xpath": "^0.0.32"
   },
   "devDependencies": {

diff --git a/src/libsaml.ts b/src/libsaml.ts
@@ -14,6 +14,7 @@ import * as xmlenc from '@authenio/xml-encryption';
 import { extract } from './extractor';
 import camelCase from 'camelcase';
 import { getContext } from './api';
+import xmlEscape from 'xml-escape';
 
 const signatureAlgorithms = algorithms.signature;
 const digestAlgorithms = algorithms.digest;
@@ -238,6 +239,13 @@ const libSaml = () => {
     return prefix + camelContent.charAt(0).toUpperCase() + camelContent.slice(1);
   }
 
+  function escapeTag(text: string): (...args: string[]) => string {
+    return (match: string, quote?: string) => {
+      // not having a quote means this interpolation isn't for an attribute, and so does not need escaping
+      return quote ? `${quote}${xmlEscape(text || '')}` : text;
+    }
+  }
+
   return {
 
     createXPath,
@@ -257,7 +265,10 @@ const libSaml = () => {
     */
     replaceTagsByValue(rawXML: string, tagValues: any): string {
       Object.keys(tagValues).forEach(t => {
-        rawXML = rawXML.replace(new RegExp(`{${t}}`, 'g'), tagValues[t]);
+        rawXML = rawXML.replace(
+          new RegExp(`("?)\\{${t}\\}`, 'g'),
+          escapeTag(tagValues[t])
+        );
       });
       return rawXML;
     },

diff --git a/yarn.lock b/yarn.lock
@@ -2520,6 +2520,11 @@ xml-crypto@^3.0.1:
     "@xmldom/xmldom" "^0.8.5"
     xpath "0.0.32"
 
+xml-escape@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/xml-escape/-/xml-escape-1.1.0.tgz#3904c143fa8eb3a0030ec646d2902a2f1b706c44"
+  integrity sha512-B/T4sDK8Z6aUh/qNr7mjKAwwncIljFuUP+DO/D5hloYFj+90O88z8Wf7oSucZTHxBAsC1/CTP4rtx/x1Uf72Mg==
+
 xml@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/xml/-/xml-1.0.1.tgz#78ba72020029c5bc87b8a81a3cfcd74b4a2fc1e5"