Apply input validation to match dataform constraints

igniterealtime / openfire-mucextinfo-plugin

An Openfire plugin that allows an admin to configure Extended Service Discovery information to Multi User Chat entities.

2 stars 5 forks source link

Apply input validation to match dataform constraints #6

Open guusdk opened 4 years ago

guusdk commented 4 years ago

Using the admin panel, a user can input pretty much any value to the service discovery information. There likely needs to be some input validation done (can form name values include whitespace characters?)

Fishbowler commented 4 years ago

Also, an approach to XML escaping. Right now it's "escape all the things". Using a string of <>?:"{}|_+ for the variable name, label and value gives this:

<field var="&lt;&gt;?:&quot;{}|_+" label="&lt;&gt;?:&quot;{}|_+">
    <value>&lt;&gt;?:"{}|_+</value>
</field>

Should the same escaping occur for quoted strings in XML attributes as it does for the raw <value>?

Is there a valid use case for any of the XML-escapable characters in any of these fields?

guusdk commented 4 years ago

I'm not immediately seeing a better approach that adds value, but doesn't compromise security. Suggestions?