From 14055fface65c5d42a10cb6635282090bd91eecf Mon Sep 17 00:00:00 2001
From: Munawwar <munawwarfiroz@hotmail.com>
Date: Fri, 23 Feb 2024 04:56:29 +0400
Subject: [PATCH] Xml entity escape (#523)

* fix escaping of character entities in XML

e.g. & in a url in an attribute should become &amp; in XML

* linting

* tests

* fix entity escaping to only escape tag attributes

* use xml-escape npm module
---
 package.json   |  1 +
 src/libsaml.ts | 13 ++++++++++++-
 yarn.lock      |  5 +++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index c672bda..743850f 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
     "uuid": "^8.3.2",
     "xml": "^1.0.1",
     "xml-crypto": "^3.0.1",
+    "xml-escape": "^1.1.0",
     "xpath": "^0.0.32"
   },
   "devDependencies": {
diff --git a/src/libsaml.ts b/src/libsaml.ts
index fd67ac7..3ea5231 100644
--- a/src/libsaml.ts
+++ b/src/libsaml.ts
@@ -14,6 +14,7 @@ import * as xmlenc from '@authenio/xml-encryption';
 import { extract } from './extractor';
 import camelCase from 'camelcase';
 import { getContext } from './api';
+import xmlEscape from 'xml-escape';
 
 const signatureAlgorithms = algorithms.signature;
 const digestAlgorithms = algorithms.digest;
@@ -238,6 +239,13 @@ const libSaml = () => {
     return prefix + camelContent.charAt(0).toUpperCase() + camelContent.slice(1);
   }
 
+  function escapeTag(text: string): (...args: string[]) => string {
+    return (match: string, quote?: string) => {
+      // not having a quote means this interpolation isn't for an attribute, and so does not need escaping
+      return quote ? `${quote}${xmlEscape(text || '')}` : text;
+    }
+  }
+
   return {
 
     createXPath,
@@ -257,7 +265,10 @@ const libSaml = () => {
     */
     replaceTagsByValue(rawXML: string, tagValues: any): string {
       Object.keys(tagValues).forEach(t => {
-        rawXML = rawXML.replace(new RegExp(`{${t}}`, 'g'), tagValues[t]);
+        rawXML = rawXML.replace(
+          new RegExp(`("?)\\{${t}\\}`, 'g'),
+          escapeTag(tagValues[t])
+        );
       });
       return rawXML;
     },
diff --git a/yarn.lock b/yarn.lock
index f97c624..8a55ee9 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2520,6 +2520,11 @@ xml-crypto@^3.0.1:
     "@xmldom/xmldom" "^0.8.5"
     xpath "0.0.32"
 
+xml-escape@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/xml-escape/-/xml-escape-1.1.0.tgz#3904c143fa8eb3a0030ec646d2902a2f1b706c44"
+  integrity sha512-B/T4sDK8Z6aUh/qNr7mjKAwwncIljFuUP+DO/D5hloYFj+90O88z8Wf7oSucZTHxBAsC1/CTP4rtx/x1Uf72Mg==
+
 xml@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/xml/-/xml-1.0.1.tgz#78ba72020029c5bc87b8a81a3cfcd74b4a2fc1e5"