Fix #1870 - Strip control characters out of strings in AtomSerializer (#1876)

* Fix #1870 - Strip control characters out of strings in AtomSerializer

* Adjust according to comment by @alpaca-tc

diff --git a/app/lib/atom_serializer.rb b/app/lib/atom_serializer.rb
index 6f191044089f7da1d274009e6ebe87e4ac4aae0a..4e4031bba55f6193b23664e837733cce6684b1e7 100644 (file)
--- a/app/lib/atom_serializer.rb
+++ b/app/lib/atom_serializer.rb
@@ -3,6 +3,8 @@
 class AtomSerializer
   include RoutingHelper
 
+  INVALID_XML_CHARS = /[^\u0009\u000a\u000d\u0020-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]/
+
   class << self
     def render(element)
       document = Ox::Document.new(version: '1.0')
@@ -311,11 +313,15 @@ class AtomSerializer
 
   def append_element(parent, name, content = nil, attributes = {})
     element = Ox::Element.new(name)
-    attributes.each { |k, v| element[k] = v.to_s }
-    element << content.to_s unless content.nil?
+    attributes.each { |k, v| element[k] = sanitize_str(v) }
+    element << sanitize_str(content) unless content.nil?
     parent  << element
   end
 
+  def sanitize_str(raw_str)
+    raw_str.to_s.gsub(INVALID_XML_CHARS, '')
+  end
+
   def add_namespaces(parent)
     parent['xmlns']          = TagManager::XMLNS
     parent['xmlns:thr']      = TagManager::THR_XMLNS