Ignore (strip) illegal characters.

Leaving the invalid sequences in the document seems incorrect. Another option could be to throw an error, seeing as the characters are not legal. Not doing this would probably open up attack vectors allowing the entry of binary data and control sequences into data structures.
xmppjs · Jun 15, 2018 · ff29990 · ff29990
1 parent 9cc1867
commit ff29990
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/lib/escape.js b/lib/escape.js
@@ -22,11 +22,21 @@ var unescapeXMLTable = {
 
 function unescapeXMLReplace (match) {
   if (match[1] === '#') {
+    var num
     if (match[2] === 'x') {
-      return String.fromCodePoint(parseInt(match.slice(3), 16))
+      num = parseInt(match.slice(3), 16)
     } else {
-      return String.fromCodePoint(parseInt(match.slice(2), 10))
+      num = parseInt(match.slice(2), 10)
     }
+    // https://www.w3.org/TR/xml/#NT-Char defines legal XML characters:
+    // #x9 | #xA | #xD | [#x20-#xD7FF] | [#xE000-#xFFFD] | [#x10000-#x10FFFF]
+    if (num === 0x9 || num === 0xA || num === 0xD ||
+        (num >= 0x20 && num <= 0xD7FF) ||
+        (num >= 0xE000 && num <= 0xFFFD) ||
+        (num >= 0x10000 && num <= 0x10FFFF)) {
+      return String.fromCodePoint(num)
+    }
+    return ''
   }
   return unescapeXMLTable[match]
 }

diff --git a/test/escape-test.js b/test/escape-test.js
@@ -52,6 +52,9 @@ vows.describe('escape').addBatch({
     'unescapes numeric entities': function () {
       assert.equal(unescapeXML('&#64;'), '@')
     },
+    'strips control characters': function () {
+      assert.equal(unescapeXML('&#0;'), '')
+    },
     'unescapes hexadecimal entities': function () {
       assert.equal(unescapeXML('&#x40;'), '@')
     },