Merge pull request #9 from tadl/xml_escaping_fixes
authorJeff Godin <jgodin@tadl.org>
Thu, 15 May 2014 19:01:45 +0000 (15:01 -0400)
committerJeff Godin <jgodin@tadl.org>
Thu, 15 May 2014 19:01:45 +0000 (15:01 -0400)
xml escaping fixes

In addition to title and author, also attempt to escape call number
values in ItemRequestedResponse messages.

Also, don't use HTML::Entities::encode as that can introduce HTML
entities which are not valid built-in XML entities.

Signed-off-by: Jeff Godin <jgodin@tadl.org>
iNCIPit.cgi

index 9a45e0a..478f9e5 100644 (file)
@@ -869,10 +869,11 @@ sub item_request {
         }
     }
 
-    # Avoid generating invalid XML responses by encoding title/author
+    # Avoid generating invalid XML responses by encoding title/author/callnumber
     # TODO: Move away from heredocs for generating XML
-       $title  = HTML::Entities::encode($title);
-       $author = HTML::Entities::encode($author);
+       $title      = _naive_encode_xml($title);
+       $author     = _naive_encode_xml($author);
+       $callnumber = _naive_encode_xml($callnumber);
 
     my $hd = <<ITEMREQ;
 Content-type: text/xml
@@ -1789,3 +1790,13 @@ sub flesh_user {
       ->gather(1);
     return $response;
 }
+
+sub _naive_encode_xml {
+    my $val = shift;
+
+    $val =~ s/&/&amp;/g;
+    $val =~ s/</&lt;/g;
+    $val =~ s/>/&gt;/g;
+
+    return $val;
+}