<debug:exception> element in report.xml has unescaped pos0 attribute

[jonstewart]

It looks like the pos0 attribute in <debug:exception> elements in report.xml is not escaped. Consequently raw & characters can be included, instead of being converted to &.

<debug:exception name='read error' pos0='(C:\AD&D/MonsterManual.pdf|0)' >read error</debug:exception>

[simsong]

Ick. Can you push a patch?

On Sep 13, 2016, at 5:18 PM, Jon Stewart [email protected] wrote:

It looks like the pos0 attribute in debug:exception elements in report.xml is not escaped. Consequently raw & characters can be included, instead of being converted to &.

<debug:exception name='read error' pos0='(C:\AD&D/MonsterManual.pdf|0)' >read error/debug:exception

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/simsong/bulk_extractor/issues/85, or mute the thread https://github.com/notifications/unsubscribe-auth/ABhTrJc0gELGQoLFnXUvGWDsAXjMGs0Fks5qpxNAgaJpZM4J8J7j.

[jonstewart]

I'll try. Where are exceptions converted to xml for output?

[simsong]

in phase1.cpp:

(base) simsong@nimi bulk_extractor % grep  'debug:exception' src/phase1.cpp                                                            (slg-dev)bulk_extractor
            xreport.xmlout("debug:exception", e.what(), str.str(), true);
                    xreport.xmlout("debug:exception", e.what(), sstr.str(), true);

[simsong]

@jonstewart - are you still working on this?

[simsong]

@jonstewart - does this matter anymore?

[jonstewart]

Senator, I have no recollection of this matter.

It looks like the pertinent question is whether .xmlout() on xmlreport escapes all strings passed to it. I will take a look this evening.