[vlc-devel] [PATCH 1/2] httprequests.lua: handle fields unsuitable for XML tag names

Pierre Ynard linkfanel at yahoo.fr
Sun Aug 23 00:51:06 CEST 2020

Table keys that would be invalid as XML tag names are instead passed
as the name attribute. This is a bit of a breaking change as it was
possible instead to abuse the key field to set arbitrary XML attributes
on the tag (whose syntactic validity then wasn't checked), or even to
inject extra XML code; however no in-tree user did that.

diff --git a/share/lua/intf/modules/httprequests.lua b/share/lua/intf/modules/httprequests.lua
index cdbc5a9..92d413a 100644
--- a/share/lua/intf/modules/httprequests.lua
+++ b/share/lua/intf/modules/httprequests.lua
@@ -246,10 +246,14 @@ local printXmlKeyValue = function (k,v,indent)
     for i=1,indent do print(" ") end
     if (k) then
-        if not tonumber(k) then
-            print("<"..k..">")
+        --XML element naming rules: this is a bit more conservative
+        --than it strictly needs to be
+        if not string.match(k, "^[a-zA-Z_][a-zA-Z0-9_%-%.]*$")
+            or string.match(k, "^[xX][mM][lL]") then
+            print('<element name="'..xmlString(k)..'">')
+            k = "element"
-            print("<entry_"..k..">")
+            print("<"..k..">")
@@ -260,16 +264,7 @@ local printXmlKeyValue = function (k,v,indent)
     if (k) then
-        xs=xmlString(k)
-        space_loc=string.find(xs," ")
-        if space_loc == nil then
-            xs=string.sub(xs,1,space_loc)
-        end
-        if not tonumber(xs) then
-            print("</"..xs..">")
-        else
-            print("</entry_"..xs..">")
-        end
+        print("</"..k..">")
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."

More information about the vlc-devel mailing list