Closed abeyerpath closed 3 years ago
As a workaround in the meantime, I manually inserted XML entities in the environment password string to handle encoding, and that seems to work as expected.
Hi @abeyerpath, that's excellent feedback, thanks.
I'll add a CDATA
block, that's a good way to protect the field. I don't think that we should go for anything more dynamic like a script as people may miss it and that's beyond the scope of the request.
There are valid password characters which shouldn't be inserted unprocessed into the XML envelope ('<', '>', and '&' come to mind, but there may be others.)
The password & token replacement tokens could probably be wrapped in a CDATA block to handle most simple cases and/or a pre-request script could handle escaping them or at least report a better error.