Improve XML decoder to remove illegal characters

author: Tony Wang <wwwjfy@gmail.com> 2019-10-23 11:27:27 +0800
committer: Frédéric Guillot <fred@miniflux.net> 2019-10-22 20:32:35 -0700
commit: 2eb2441f2ba9fcb50d17d8f7deead756187b3586 (patch)
tree: 523c1dbfe2d87b5ca44cd1d71f79e7ced12bd85c /reader
parent: 7409bba0d8c8ab74b57cb05cb1571a7e72a7073e (diff)
5 files changed, 82 insertions, 18 deletions
diff --git a/reader/atom/parser.go b/reader/atom/parser.go
index 4749c1a..90a84aa 100644
--- a/reader/atom/parser.go
+++ b/reader/atom/parser.go
@@ -5,22 +5,17 @@
 package atom // import "miniflux.app/reader/atom"
 
 import (
-	"encoding/xml"
 	"io"
 
 	"miniflux.app/errors"
 	"miniflux.app/model"
-	"miniflux.app/reader/encoding"
+	"miniflux.app/reader/xml"
 )
 
 // Parse returns a normalized feed struct from a Atom feed.
 func Parse(data io.Reader) (*model.Feed, *errors.LocalizedError) {
 	atomFeed := new(atomFeed)
 	decoder := xml.NewDecoder(data)
-	decoder.Entity = xml.HTMLEntity
-	decoder.Strict = false
-	decoder.CharsetReader = encoding.CharsetReader
-
 	err := decoder.Decode(atomFeed)
 	if err != nil {
 		return nil, errors.NewLocalizedError("Unable to parse Atom feed: %q", err)
diff --git a/reader/rdf/parser.go b/reader/rdf/parser.go
index 861ce8c..57a8e52 100644
--- a/reader/rdf/parser.go
+++ b/reader/rdf/parser.go
@@ -5,22 +5,17 @@
 package rdf // import "miniflux.app/reader/rdf"
 
 import (
-	"encoding/xml"
 	"io"
 
 	"miniflux.app/errors"
 	"miniflux.app/model"
-	"miniflux.app/reader/encoding"
+	"miniflux.app/reader/xml"
 )
 
 // Parse returns a normalized feed struct from a RDF feed.
 func Parse(data io.Reader) (*model.Feed, *errors.LocalizedError) {
 	feed := new(rdfFeed)
 	decoder := xml.NewDecoder(data)
-	decoder.Entity = xml.HTMLEntity
-	decoder.Strict = false
-	decoder.CharsetReader = encoding.CharsetReader
-
 	err := decoder.Decode(feed)
 	if err != nil {
 		return nil, errors.NewLocalizedError("Unable to parse RDF feed: %q", err)
diff --git a/reader/rss/parser.go b/reader/rss/parser.go
index 79bd144..9ed773d 100644
--- a/reader/rss/parser.go
+++ b/reader/rss/parser.go
@@ -5,22 +5,17 @@
 package rss // import "miniflux.app/reader/rss"
 
 import (
-	"encoding/xml"
 	"io"
 
 	"miniflux.app/errors"
 	"miniflux.app/model"
-	"miniflux.app/reader/encoding"
+	"miniflux.app/reader/xml"
 )
 
 // Parse returns a normalized feed struct from a RSS feed.
 func Parse(data io.Reader) (*model.Feed, *errors.LocalizedError) {
 	feed := new(rssFeed)
 	decoder := xml.NewDecoder(data)
-	decoder.Entity = xml.HTMLEntity
-	decoder.Strict = false
-	decoder.CharsetReader = encoding.CharsetReader
-
 	err := decoder.Decode(feed)
 	if err != nil {
 		return nil, errors.NewLocalizedError("Unable to parse RSS feed: %q", err)
diff --git a/reader/xml/decoder.go b/reader/xml/decoder.go
new file mode 100644
index 0000000..d01f74e
--- /dev/null
+++ b/reader/xml/decoder.go
@@ -0,0 +1,50 @@
+// Copyright 2019 Frédéric Guillot. All rights reserved.
+// Use of this source code is governed by the Apache 2.0
+// license that can be found in the LICENSE file.
+
+package xml // import "miniflux.app/reader/xml"
+
+import (
+	"bytes"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"io/ioutil"
+
+	"miniflux.app/reader/encoding"
+)
+
+// NewDecoder returns a XML decoder that filters illegal characters.
+func NewDecoder(data io.Reader) *xml.Decoder {
+	decoder := xml.NewDecoder(data)
+	decoder.Entity = xml.HTMLEntity
+	decoder.Strict = false
+	decoder.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) {
+		utf8Reader, err := encoding.CharsetReader(charset, input)
+		if err != nil {
+			return nil, err
+		}
+		rawData, err := ioutil.ReadAll(utf8Reader)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to read data: %q", err)
+		}
+		filteredBytes := bytes.Map(filterValidXMLChar, rawData)
+		return bytes.NewReader(filteredBytes), nil
+	}
+
+	return decoder
+}
+
+// This function is copied from encoding/xml package,
+// and is used to check if all the characters are legal.
+func filterValidXMLChar(r rune) rune {
+	if r == 0x09 ||
+		r == 0x0A ||
+		r == 0x0D ||
+		r >= 0x20 && r <= 0xD7FF ||
+		r >= 0xE000 && r <= 0xFFFD ||
+		r >= 0x10000 && r <= 0x10FFFF {
+		return r
+	}
+	return -1
+}
diff --git a/reader/xml/decoder_test.go b/reader/xml/decoder_test.go
new file mode 100644
index 0000000..ea24bf8
--- /dev/null
+++ b/reader/xml/decoder_test.go
@@ -0,0 +1,29 @@
+// Copyright 2019 Frédéric Guillot. All rights reserved.
+// Use of this source code is governed by the Apache 2.0
+// license that can be found in the LICENSE file.
+
+package xml // import "miniflux.app/reader/xml"
+
+import (
+	"encoding/xml"
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func TestIllegalCharacters(t *testing.T) {
+	type myxml struct {
+		XMLName xml.Name `xml:"rss"`
+		Version string   `xml:"version,attr"`
+		Title   string   `xml:"title"`
+	}
+
+	data := fmt.Sprintf(`<?xml version="1.0" encoding="windows-1251"?><rss version="2.0"><title>%s</title></rss>`, "\x10")
+	var x myxml
+
+	decoder := NewDecoder(strings.NewReader(data))
+	err := decoder.Decode(&x)
+	if err != nil {
+		t.Error(err)
+	}
+}
author	Tony Wang <wwwjfy@gmail.com>	2019-10-23 11:27:27 +0800
committer	Frédéric Guillot <fred@miniflux.net>	2019-10-22 20:32:35 -0700
commit	2eb2441f2ba9fcb50d17d8f7deead756187b3586 (patch)
tree	523c1dbfe2d87b5ca44cd1d71f79e7ced12bd85c /reader
parent	7409bba0d8c8ab74b57cb05cb1571a7e72a7073e (diff)