search

yawlfoundation / yawl

Yet Another Workflow Language
http://www.yawlfoundation.org
GNU Lesser General Public License v3.0
88 stars 35 forks source link

YTask.getInformation and YWorkItem.toXML return invalid XML because taskName or taskDocumentation contain unescaped characters #614

Closed mlawry closed 6 years ago

mlawry commented 6 years ago

YTask class in package org.yawlfoundation.yawl.elements, getInformation() method.

If task name or documentation contain characters such as '&', then the resulting XML returned doesn't escape the '&', resulting invalid XML.

result.append("<taskName>");
result.append(_name != null ? _name :
        _decompositionPrototype != null ? _decompositionPrototype.getID() : "null");
result.append("</taskName>");

if (_documentation != null) {
    result.append("<taskDocumentation>");
    result.append(_documentation);
    result.append("</taskDocumentation>");
}
mlawry commented 6 years ago

YWorkItem class in package org.yawlfoundation.yawl.engine, toXml() method.

Same problem, may be should use StringUtil.wrapEscape instead of plain StringUtil.wrap.

xml.append(StringUtil.wrap(_task.getName(), "taskname"));
xml.append(StringUtil.wrap(getDocumentation(), "documentation"));
yawlfoundation commented 6 years ago

fixed - thanks for locating these issues