Open mickdekkers opened 3 weeks ago
Thanks for the bug report, Mick. I'll take a look at this ASAP.
Maybe once bugs like this are fixed the download count will become more respectable ;-)
So the current escaping is down by the transformation step, to allow us support disable-output-escaping, so we need to move that to the serialiser, but also support that.
The XSLT spec suggests the way to go about this is expand the data model with a Boolean to flag of the output is to be escaped or not, we can look into that approach?
Hi @ballsteve, @devasta, I'm reporting this as an issue on GitHub as discussed.
I noticed that the XML serialization in xrust doesn't seem to be escaping special characters like
&
and"
. This can produce invalid syntax, but could also theoretically lead to XML injection attacks if someone passes malicious input to an application using xrust (e.g. if that application includes a parse -> serialize -> parse sequence somewhere). Practically speaking however, given the limited download count of the package, we believe it very unlikely that any application using xrust is written in such a way as to be vulnerable as a result of this issue, especially without it being noticed during development.Example main.rs code:
Outputs: