Skip to content

Commit

Permalink
o Updated to remove '<!--' and '-->' from XML comments to guard again…
Browse files Browse the repository at this point in the history 
…st XML

  XML injection issues.

Fixes #3
  • Loading branch information
@ChristianSchulte
ChristianSchulte committed May 7, 2016
1 parent fcd94e5 commit f933e5e
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/main/java/org/codehaus/plexus/util/xml/XmlWriterUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,16 @@ public static void writeComment( XMLWriter writer, String comment, int indent, i
comment = "null";
}

while ( comment.contains( "<!--" ) )
{
comment = comment.replace( "<!--", "" );
}

while ( comment.contains( "-->" ) )
{
comment = comment.replace( "-->", "" );
}

if ( indent < 0 )
{
indent = 0;
Expand Down

2 comments on commit f933e5e

@superkrzysio
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following comment will bypass this code and will successfully print <!-- in the comment, but it's not a security issue anymore, as it doesn't allow any injection.
A short <-->!-- comment.

@mirabilos
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AIUI, XML forbids -- in comments, so perhaps strip or otherwise disengage that instead? (Perhaps replace by - plus zero-width or other space plus -?)

Please sign in to comment.