[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libvir] XML escaping patch

On Fri, Jul 06, 2007 at 03:06:37PM +0100, Daniel P. Berrange wrote:
> On Fri, Jul 06, 2007 at 09:49:46AM -0400, Daniel Veillard wrote:
> >   This is related to bug #206653
> >     https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206653
> > basically we are very optimistic when generating the XML files, and
> > sometimes this can break. The most common case is if some string inherited
> > from the user input or some other config file embeds one of > < or & ,
> > another one would be if the strings are containing character outside of 
> > ACSII range and not encoded in UTF-8. We can at least cope with the
> > easy case of escaping the 3 characters.
> > This patch adds a simple buffer printing routing working with a simple
> > string argument, and use it for the 2 cases where I think it's most likely
> > to be needed i.e. cmdline and bootloader_args. There is a number of places
> > where paths are used and the user might use weird character names, but since
> > those cases can't be handled properly (you can't change that path or try
> > to convert encoding on the fly since we can't guess reliably which one is
> > used) I didn't tried to change those.
> > This makes for a relatively simple patch which should IMHO cover most case
> > where we may break while we really should not.
> To be honest the whole way of building up XML documents through string
> concatenation is rather disgusting. Isn't there some simple API that we
> could use to build up based on logical elements, attributes & text...

  The xmlWriter part of libxml2
but 1/ that's one of the few module I didn't wrote :-) 2/ I never used it
3/ documentation is rather limited.
But the main reason I'm not sure it would really help is that the main kind
of errors we may face is IMHO problems of encodings, where we may not
know what encoding us associated with a char * and if we need to plug
the string in XML we have absolutely no garantee. And since for example
the sexpr don't have an encoding we are just crossing fingers when talking
to Xend.


Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]