From f902a335f9063eea32ffa13d35df7d38a0299d90 Mon Sep 17 00:00:00 2001
From: Eugen <eugen@zeonfederated.com>
Date: Sun, 16 Apr 2017 20:32:27 +0200
Subject: [PATCH] Fix #1870 - Strip control characters out of strings in
 AtomSerializer (#1876)

* Fix #1870 - Strip control characters out of strings in AtomSerializer

* Adjust according to comment by @alpaca-tc
---
 app/lib/atom_serializer.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/lib/atom_serializer.rb b/app/lib/atom_serializer.rb
index 6f19104408..4e4031bba5 100644
--- a/app/lib/atom_serializer.rb
+++ b/app/lib/atom_serializer.rb
@@ -3,6 +3,8 @@
 class AtomSerializer
   include RoutingHelper
 
+  INVALID_XML_CHARS = /[^\u0009\u000a\u000d\u0020-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]/
+
   class << self
     def render(element)
       document = Ox::Document.new(version: '1.0')
@@ -311,11 +313,15 @@ class AtomSerializer
 
   def append_element(parent, name, content = nil, attributes = {})
     element = Ox::Element.new(name)
-    attributes.each { |k, v| element[k] = v.to_s }
-    element << content.to_s unless content.nil?
+    attributes.each { |k, v| element[k] = sanitize_str(v) }
+    element << sanitize_str(content) unless content.nil?
     parent  << element
   end
 
+  def sanitize_str(raw_str)
+    raw_str.to_s.gsub(INVALID_XML_CHARS, '')
+  end
+
   def add_namespaces(parent)
     parent['xmlns']          = TagManager::XMLNS
     parent['xmlns:thr']      = TagManager::THR_XMLNS
-- 
GitLab