MongooseIM is Erlang Solutions' robust, scalable and efficient XMPP server, aimed at large installations. Specifically designed for enterprise purposes, it is fault-tolerant and can utilise the resources of multiple clustered machines.
In mod_bosh.erl, a call is made to exml:to_binary, without first escaping XML CDATA content. In exml/src/exml.erl a comment states that "it's caller's responsibility to make sure that #xmlcdata's content is escaped properly".
As a result, invalid XML is produced in case if a tag contains special chars like "&" in its body. This example will reproduce the error:
<iq type="set" id="4">
<query xmlns="jabber:iq:private">
<TestPrivate xmlns="some:private:data">Test with an &</TestPrivate>
</query>
</iq>
Executing a "get" IQ over BOSH will return the following reply
<iq from='bot@localhost' to='bot@localhost/test' id='4' type='result'>
<query xmlns='jabber:iq:private'>
<TestPrivate xmlns="some:private:data">Test with an &</TestPrivate>
</query>
</iq>
Notice how the "&" is not properly escaped in the BOSH reply. Other places where exml:to_binary is used to convert {xmlel, ...} into binary string may also be affected by similar issue.
In mod_bosh.erl, a call is made to exml:to_binary, without first escaping XML CDATA content. In exml/src/exml.erl a comment states that "it's caller's responsibility to make sure that #xmlcdata's content is escaped properly".
As a result, invalid XML is produced in case if a tag contains special chars like "&" in its body. This example will reproduce the error:
Executing a "get" IQ over BOSH will return the following reply
Notice how the "&" is not properly escaped in the BOSH reply. Other places where exml:to_binary is used to convert {xmlel, ...} into binary string may also be affected by similar issue.