Merge pull request #743 from sodomelle/fix-format-xml-escaping

FilterX: fix escaping in format_xml and format_windows_eventlog_xml functions

Author: MrAnno

modules/xml/filterx-func-format-windows-eventlog-xml.c

@@ -54,7 +54,11 @@ _append_inner_data_dict_element(FilterXObject *key, FilterXObject *value, gpoint
     }
 
   if (value_str_len)
-    g_string_append_printf(buffer, "<Data Name='%s'>%s</Data>", key_str, value_str);
+    {
+      gchar *escaped_value = g_markup_escape_text(value_str, value_str_len);
+      g_string_append_printf(buffer, "<Data Name='%s'>%s</Data>", key_str, escaped_value);
+      g_free(escaped_value);
+    }
   else
     g_string_append_printf(buffer, "<Data Name='%s' />", key_str);
   return TRUE;
@@ -87,7 +91,9 @@ _append_data_element(FilterXObject *key, FilterXObject *value, gpointer user_dat
       return FALSE;
     }
 
-  self->append_leaf(key_str, value_str, value_str_len, buffer);
+  gchar *escaped_value = g_markup_escape_text(value_str, value_str_len);
+  self->append_leaf(key_str, escaped_value, strlen(escaped_value), buffer);
+  g_free (escaped_value);
   return TRUE;
 }
 

modules/xml/filterx-func-format-xml.c

@@ -107,23 +107,27 @@ append_list(FilterXObject *key, FilterXObject *list, gpointer user_data)
 }
 
 static void
-_append_attribute(const char *key_str, const char *value_str, GString *buffer)
+_append_attribute(const char *key_str, GString *value_buffer, GString *buffer)
 {
   if (buffer->str[buffer->len - 1] == '>')
     g_string_overwrite(buffer, buffer->len - 1, " ");
   else
     g_string_append_c(buffer, ' ');
 
-  g_string_append_printf(buffer, "%s='%s'>", &key_str[1], value_str);
+  gchar *escaped_value = g_markup_escape_text(value_buffer->str, value_buffer->len);
+  g_string_append_printf(buffer, "%s='%s'>", &key_str[1], escaped_value);
+  g_free(escaped_value);
 }
 
 static void
-_append_text(const char *value_str, GString *buffer)
+_append_text(GString *value_buffer, GString *buffer)
 {
   if (buffer->str[buffer->len - 1] != '>')
     g_string_append_c(buffer, '>');
 
-  g_string_append(buffer, value_str);
+  gchar *escaped_value = g_markup_escape_text(value_buffer->str, value_buffer->len);
+  g_string_append(buffer, escaped_value);
+  g_free(escaped_value);
 }
 
 static void
@@ -158,17 +162,19 @@ _append_entry(FilterXObject *key, FilterXObject *value, gpointer user_data)
   if (key_str_len && (key_str[0] == '@'))
     {
       *is_only_attribute_present = TRUE;
-      _append_attribute(key_str, val_buf->str, buffer);
+      _append_attribute(key_str, val_buf, buffer);
       return TRUE;
     }
   if (key_str_len && (g_strcmp0(key_str, "#text") == 0))
     {
       *is_only_attribute_present = FALSE;
-      _append_text(val_buf->str, buffer);
+      _append_text(val_buf, buffer);
       return TRUE;
     }
 
-  self->append_leaf(key_str, val_buf->str, val_buf->len, buffer);
+  gchar *escaped_value = g_markup_escape_text(val_buf->str, val_buf->len);
+  self->append_leaf(key_str, escaped_value, strlen(escaped_value), buffer);
+  g_free (escaped_value);
   return TRUE;
 }
 

news/fx-bugfix-743.md

@@ -0,0 +1,4 @@
+`xml`: Fix escaping in element values
+
+Example:
+<b> -> &lt;b&gt;

tests/light/functional_tests/filterx/test_filterx.py

@@ -2836,6 +2836,7 @@ def test_format_xml_valid_input(config, syslog_ng):
         $MSG.float_leaf = format_xml({"a":100.0});
         datetime = strptime("2000-01-01T00:00:00 +0200", "%Y-%m-%dT%H:%M:%S %z");
         $MSG.datetime_leaf = format_xml({"a":datetime});
+        $MSG.escaped = format_xml({"a":"<b>"});
 """,
     )
     syslog_ng.start(config)
@@ -2863,7 +2864,8 @@ def test_format_xml_valid_input(config, syslog_ng):
         r""""multiple_root":"<a>b</a><a>c</a>","""
         r""""integer_leaf":"<a>100</a>","""
         r""""float_leaf":"<a>100.0</a>","""
-        r""""datetime_leaf":"<a>946677600.000000</a>"}"""
+        r""""datetime_leaf":"<a>946677600.000000</a>","""
+        r""""escaped":"<a>&lt;b&gt;</a>"}"""
     )
     assert file_true.read_log() == exp