Throw Error on illegal characters.

When a character reference is outside the bounds defined by XML v1.0, throw an error, seeing as the characters are not legal, and the document is invalid. Not doing this would probably open up attack vectors allowing the entry of binary data and control sequences into data structures.
xmppjs · Sep 22, 2018 · 2bdae01 · 2bdae01
1 parent 9b6880c
commit 2bdae01
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/lib/escape.js b/lib/escape.js
@@ -22,11 +22,21 @@ var unescapeXMLTable = {
 
 function unescapeXMLReplace (match) {
   if (match[1] === '#') {
+    var num
     if (match[2] === 'x') {
-      return String.fromCodePoint(parseInt(match.slice(3), 16))
+      num = parseInt(match.slice(3), 16)
     } else {
-      return String.fromCodePoint(parseInt(match.slice(2), 10))
+      num = parseInt(match.slice(2), 10)
     }
+    // https://www.w3.org/TR/xml/#NT-Char defines legal XML characters:
+    // #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
+    if (num === 0x9 || num === 0xA || num === 0xD ||
+        (num >= 0x20 && num <= 0xD7FF) ||
+        (num >= 0xE000 && num <= 0xFFFD) ||
+        (num >= 0x10000 && num <= 0x10FFFF)) {
+      return String.fromCodePoint(num)
+    }
+    throw new Error(`Illegal XML character 0x${num.toString(16)}`)
   }
   return unescapeXMLTable[match]
 }

diff --git a/test/escape-test.js b/test/escape-test.js
@@ -52,6 +52,9 @@ vows.describe('escape').addBatch({
     'unescapes numeric entities': function () {
       assert.strictEqual(unescapeXML('&#64;'), '@')
     },
+    'throws on invalid characters': function () {
+      assert.throws(() => unescapeXML('&#0;'), Error)
+    },
     'unescapes hexadecimal entities': function () {
       assert.strictEqual(unescapeXML('&#x40;'), '@')
     },