search

Codespilot / vocadb

Automatically exported from code.google.com/p/vocadb
2 stars 1 forks source link

Posting certain hidden characters results in a crash #104

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The character in this example is hex 0x02 (STX), which is for used for bolding 
text on IRC, among other things. Posting this to any field that is serialized 
into XML (all entry fields) causes a crash.

Stack trace: 
System.Xml.XmlException '', hexadecimal value 0x02, is an invalid character. 
Line 29, position 73. Void Throw(System.String, System.String[])    at 
System.Xml.XmlTextReaderImpl.Throw(String res, String[] args)
   at System.Xml.XmlTextReaderImpl.ParseNumericCharRefInline(Int32 startPos, Boolean expand, StringBuilder internalSubsetBuilder, Int32& charCount, EntityType& entityType)
   at System.Xml.XmlTextReaderImpl.ParseCharRefInline(Int32 startPos, Int32& charCount, EntityType& entityType)
   at System.Xml.XmlTextReaderImpl.ParseText(Int32& startPos, Int32& endPos, Int32& outOrChars)
   at System.Xml.XmlTextReaderImpl.ParseText()
   at System.Xml.XmlTextReaderImpl.ParseElementContent()
   at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r)
   at System.Xml.Linq.XContainer.ReadContentFrom(XmlReader r, LoadOptions o)
   at System.Xml.Linq.XDocument.Load(XmlReader reader, LoadOptions options)
   at System.Xml.Linq.XDocument.Parse(String text, LoadOptions options)
   at VocaDb.Model.Helpers.XmlHelper.SerializeToXml[T](T obj) in c:\Sites\VocaDB\trunk\VocaDbModel\Helpers\XmlHelper.cs:line 32

Original issue reported on code.google.com by rii...@gmail.com on 21 Mar 2013 at 6:07

GoogleCodeExporter commented 8 years ago 
Well, this issue seems to be difficult to fix properly. There's a lot of 
characters that are not allowed in the XML 1.0 spec ( 
http://www.w3.org/TR/REC-xml/#charsets ). Catching all serializable strings and 
sanitizing them one by one is probably too much work. The thing is that 
XmlSerializer serializes the character just fine to , but parsing the XML 
results in the error described above. I ended up just removing that entity from 
the produced XML, which fixes this one input, but not all invalid inputs. I 
also documented the issue in the XmlHelper class. Need to take additional steps 
if this appears to be a problem.

Original comment by rii...@gmail.com on 21 Mar 2013 at 8:41