Merge pull request #3154 from ControlSystemStudio/scan_xml

Scan Server: Sanitize XML

services/scan-server/.classpath

@@ -8,6 +8,8 @@
 	<classpathentry combineaccessrules="false" kind="src" path="/core-framework"/>
 	<classpathentry combineaccessrules="false" kind="src" path="/core-util"/>
 	<classpathentry combineaccessrules="false" kind="src" path="/core-pv"/>
+	<classpathentry combineaccessrules="false" kind="src" path="/core-pv-ca"/>
+	<classpathentry combineaccessrules="false" kind="src" path="/core-pv-pva"/>
         <classpathentry combineaccessrules="false" kind="src" path="/core-vtype"/>
 	<classpathentry combineaccessrules="false" kind="src" path="/app-scan-model"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/5"/>

services/scan-server/src/main/java/org/csstudio/scan/server/httpd/ServletHelper.java

@@ -1,15 +1,18 @@
 /*******************************************************************************
- * Copyright (c) 2012-2018 Oak Ridge National Laboratory.
+ * Copyright (c) 2012-2024 Oak Ridge National Laboratory.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
  ******************************************************************************/
 package org.csstudio.scan.server.httpd;
 
+import static org.csstudio.scan.server.ScanServerInstance.logger;
+
 import java.time.Instant;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.logging.Level;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -68,10 +71,50 @@ public static XMLStreamWriter createXML(final HttpServletResponse response) thro
     public static void write(final XMLStreamWriter writer, final String name, final String text) throws Exception
     {
         writer.writeStartElement(name);
-        writer.writeCharacters(text);
+        writer.writeCharacters(sanitizeXML(text));
         writer.writeEndElement();
     }
 
+    /** Sanitize XML text
+     * 
+     *  <p>XMLStreamWriter.writeCharacters handles '<', '>', ampersand and potentially double-quotes.
+     *  It will not, however, escape 'control' characters like character 7.
+     *  One could escape them as "ampersand hashmark 7 semicolon",
+     *  but their use is still not full supported in XML, see
+     *  https://en.wikipedia.org/wiki/Valid_characters_in_XML
+     *  https://stackoverflow.com/questions/404107/why-are-control-characters-illegal-in-xml-1-0
+     *  https://learn.microsoft.com/en-us/previous-versions/troubleshoot/msxml/error-when-xml-contains-low-order-ascii
+     *  
+     *  <p>For example, when viewing the XML in Safari,
+     *  that client will un-escape back into character 7
+     *  and then complain "invalid XML char value 7".
+     *  
+     *  <p>This sanitizer will replace such control characters with underscores and log a warning.
+     *  
+     *  @param text Text like "demo\0x7"
+     *  @return Text like "demo_"
+     */
+    private static String sanitizeXML(final String text)
+    {
+        final StringBuilder out = new StringBuilder();
+        for (int i=0; i<text.length(); ++i)
+        {
+            char c = text.charAt(i);
+            // https://en.wikipedia.org/wiki/Valid_characters_in_XML:
+            // U+0009, U+000A, U+000D: these are the only C0 controls accepted in XML 1.0;
+            if (c < ' ' && c != '\t' && c != '\r' && c != '\n')
+            {
+                logger.log(Level.WARNING,
+                           String.format("Sanitizing XML for '%s' at index %d (char 0x%X)",
+                                         text, i, (int) c));
+                out.append('_');
+            }
+            else
+                out.append(c);
+        }
+        return out.toString();
+    }
+
     /** Create XML element for number
      *  @param writer {@link XMLStreamWriter}
      *  @param name Name of XML element