search

esl / MongooseIM

MongooseIM is Erlang Solutions' robust, scalable and efficient XMPP server, aimed at large installations. Specifically designed for enterprise purposes, it is fault-tolerant and can utilise the resources of multiple clustered machines.
Other
1.67k stars 427 forks source link

BOSH: XML CDATA is not properly escaped #203

Closed madprogrammer closed 10 years ago

madprogrammer commented 10 years ago

In mod_bosh.erl, a call is made to exml:to_binary, without first escaping XML CDATA content. In exml/src/exml.erl a comment states that "it's caller's responsibility to make sure that #xmlcdata's content is escaped properly".

As a result, invalid XML is produced in case if a tag contains special chars like "&" in its body. This example will reproduce the error:

<iq type="set" id="4">
  <query xmlns="jabber:iq:private">
  <TestPrivate xmlns="some:private:data">Test with an &amp;</TestPrivate>
  </query>
</iq>

Executing a "get" IQ over BOSH will return the following reply

<iq from='bot@localhost' to='bot@localhost/test' id='4' type='result'>
  <query xmlns='jabber:iq:private'>
  <TestPrivate xmlns="some:private:data">Test with an &</TestPrivate>
  </query>
</iq>

Notice how the "&" is not properly escaped in the BOSH reply. Other places where exml:to_binary is used to convert {xmlel, ...} into binary string may also be affected by similar issue.

michalwski commented 10 years ago

Thanks for catching this bug!