sanitzie XML characters

This commit is contained in:
Bryan Clark 2019-12-10 09:26:51 -08:00
parent 9d56a3bd35
commit 551e2a2770
3 changed files with 30 additions and 3 deletions

View file

@ -82,4 +82,22 @@ describe('auth tests', () => {
expect(fs.existsSync(m2Dir)).toBe(false); expect(fs.existsSync(m2Dir)).toBe(false);
expect(fs.existsSync(settingsFile)).toBe(false); expect(fs.existsSync(settingsFile)).toBe(false);
}, 100000); }, 100000);
it('escapes invalid XML inputs', () => {
const id = 'packages';
const username = 'bluebottle';
const password = '&<>"\'\'"><&';
expect(auth.generate(id, username, password)).toEqual(`
<settings>
<servers>
<server>
<id>${id}</id>
<username>${username}</username>
<password>&amp;&lt;&gt;&quot;&apos;&apos;&quot;&gt;&lt;&amp;</password>
</server>
</servers>
</settings>
`);
});
}); });

BIN
dist/index.js generated vendored

Binary file not shown.

View file

@ -27,15 +27,24 @@ export async function configAuthentication(
} }
} }
function escapeXML(value: string) {
return value
.replace(/&/g, '&amp;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&apos;');
}
// only exported for testing purposes // only exported for testing purposes
export function generate(id: string, username: string, password: string) { export function generate(id: string, username: string, password: string) {
return ` return `
<settings> <settings>
<servers> <servers>
<server> <server>
<id>${id}</id> <id>${escapeXML(id)}</id>
<username>${username}</username> <username>${escapeXML(username)}</username>
<password>${password}</password> <password>${escapeXML(password)}</password>
</server> </server>
</servers> </servers>
</settings> </settings>