On mån, 2011-04-25 at 19:25 -0400, Andrew Dunstan wrote:
> I came across this today, while helping a customer. The following
> will
> happily create a piece of XML with an embedded ^A:
>
> select xmlelement(name foo, null, E'abc\x01def');
>
> Now, a ^A is totally forbidden in XML version 1.0, and allowed but
> only
> as "�" or equivalent in XML version 1.1, and not as a 0x01 byte
> (see <http://en.wikipedia.org/wiki/XML#Valid_characters>)
The best place to fix this might be in escape_xml() in xml.c. Since we
don't support XML 1.1 yet, just reject all invalid characters there
according to XML 1.0.
Relevant bits from the SQL standard:
i)
Let CS be the character set of SQLT. Let XMLVRAW be the result of mapping SQLV to Unicode
using the implementation-defined mapping of character strings of CS to Unicode. If any Unicode
code point in XMLVRAW does not represent a valid XML character, then an exception condition
is raised: SQL/XML mapping error — invalid XML character.
[This is what you'd add.]
ii)
Let XMLV be XMLVRAW, with each instance of “&” (U+0026) replaced by “&”, each
instance of “<” (U+003C) replaced by “<”, each instance of “>” (U+003E) replaced by “>”,
and each instance of Carriage Return (U+000D) replaced by “
”.
[This is what it already does.]