[vlc-devel] [PATCH 1/2] httprequests.lua: handle fields unsuitable for XML tag names

[Pierre Ynard]

Table keys that would be invalid as XML tag names are instead passed
as the name attribute. This is a bit of a breaking change as it was
possible instead to abuse the key field to set arbitrary XML attributes
on the tag (whose syntactic validity then wasn't checked), or even to
inject extra XML code; however no in-tree user did that.


diff --git a/share/lua/intf/modules/httprequests.lua b/share/lua/intf/modules/httprequests.lua
index cdbc5a9..92d413a 100644
--- a/share/lua/intf/modules/httprequests.lua
+++ b/share/lua/intf/modules/httprequests.lua
@@ -246,10 +246,14 @@ local printXmlKeyValue = function (k,v,indent)
     print("\n")
     for i=1,indent do print(" ") end
     if (k) then
-        if not tonumber(k) then
-            print("<"..k..">")
+        --XML element naming rules: this is a bit more conservative
+        --than it strictly needs to be
+        if not string.match(k, "^[a-zA-Z_][a-zA-Z0-9_%-%.]*$")
+            or string.match(k, "^[xX][mM][lL]") then
+            print('<element name="'..xmlString(k)..'">')
+            k = "element"
         else
-            print("<entry_"..k..">")
+            print("<"..k..">")
         end
     end
 
@@ -260,16 +264,7 @@ local printXmlKeyValue = function (k,v,indent)
     end
 
     if (k) then
-        xs=xmlString(k)
-        space_loc=string.find(xs," ")
-        if space_loc == nil then
-            xs=string.sub(xs,1,space_loc)
-        end
-        if not tonumber(xs) then
-            print("</"..xs..">")
-        else
-            print("</entry_"..xs..">")
-        end
+        print("</"..k..">")
     end
 end
 
-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."