XML control characters not escaped

If you are having a problem using Vault, post a message here.
Post Reply
clange
Posts: 7
Joined: Thu Sep 29, 2011 7:01 pm

XML control characters not escaped

Post by clange » Mon Jul 20, 2020 1:01 pm

In the XML response to Vault command line client requests, XML control characters are not escaped. This leads to malformed XML characters in the response. Particularly, this is occurring in comments where a user has used those characters. I do not know if it happens in other parts of the database.

Tonya
Posts: 641
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: XML control characters not escaped

Post by Tonya » Mon Jul 20, 2020 2:45 pm

Hello,

What Vault version do you have installed? Known characters should be escaped but there were some issues in earlier Vault versions. We applied some fixes in Vault 8.x so this version or anything above it should work accordingly.

Thanks,

Tonya

clange
Posts: 7
Joined: Thu Sep 29, 2011 7:01 pm

Re: XML control characters not escaped

Post by clange » Mon Jul 20, 2020 3:51 pm

We are using 9.1.0.

Tonya
Posts: 641
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: XML control characters not escaped

Post by Tonya » Tue Jul 21, 2020 7:26 am

Can you please provide us with an example of your command-line code that is not working properly for you?

Thanks,

Tonya

clange
Posts: 7
Joined: Thu Sep 29, 2011 7:01 pm

Re: XML control characters not escaped

Post by clange » Tue Jul 21, 2020 8:18 am

Note: **** replaces any senstive information

Create label with comments that include quotes.
Example: Demo showing that "quotes" are not escaped.

Use the vault command line client.

vault rememberlogin -user **** -password **** -host ****
vault history -repository **** $/newfile.txt

Resulting XML

<vault>
<history>
<item txid="0" date="7/21/2020 8:31:24 AM" name="newfile.txt" type="90" typeName="Label" version="1" objverid="3353868" user="****" comment="[src date: 5/30/2013 10:50:40 PM]: Demo showing that &amp;quot;quotes&amp;quot; are not escaped." actionString="Labeled Newfile version 1 " />
<item txid="439823" date="5/30/2013 10:05:40 PM" name="newfile.txt" type="70" typeName="Created" version="1" objverid="3353868" user="****" actionString="Created" />
</history>
<bugsreferenced />
<result>
<success>True</success>
</result>
</vault>

Looking at the resulting output, here's a couple of specific questions.
Why does &amp; appear in the comment? There is no ampersand in the original comment.
There is no & appearing before quot;

clange
Posts: 7
Joined: Thu Sep 29, 2011 7:01 pm

Re: XML control characters not escaped

Post by clange » Tue Jul 21, 2020 9:38 am

While looking at this, we found a similar issue with a most likely a slightly different cause.

The command line client does not appear to support Unicode characters in the comments. So if a Unicode character is entered in the GUI client, the command line returns ? (a question mark) for that character.

However, U+201C (LEFT DOUBLE QUOTATION MARK) is converted to U+0022 (QUOTATION MARK). Then the QUOTATION MARK is not escaped and ends in the XML of the command line response. This probably also happens for RIGHT DOUBLE QUOTATION MARK but I didn't check.

Tonya
Posts: 641
Joined: Thu Jan 20, 2005 1:47 pm
Location: SourceGear

Re: XML control characters not escaped

Post by Tonya » Tue Jul 21, 2020 12:16 pm

Thank you for the additional details. I was able to reproduce the problem and have logged these issues to be completed in an upcoming release.

Tonya

Post Reply