Merge pull request #315 from mauromol/escape-strings-in-xml

Properly escape text to produce valid XML

Author: pitbulk

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -206,15 +206,15 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		String destinationStr = "";
 		URL sso =  settings.getIdpSingleSignOnServiceUrl();
 		if (sso != null) {
-			destinationStr = " Destination=\"" + sso.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(sso.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
 		String subjectStr = "";
 		if (nameIdValueReq != null && !nameIdValueReq.isEmpty()) {
 			String nameIDFormat = settings.getSpNameIDFormat();
 			subjectStr = "<saml:Subject>";
-			subjectStr += "<saml:NameID Format=\"" + nameIDFormat + "\">" + nameIdValueReq + "</saml:NameID>";
+			subjectStr += "<saml:NameID Format=\"" + Util.toXml(nameIDFormat) + "\">" + Util.toXml(nameIdValueReq) + "</saml:NameID>";
 			subjectStr += "<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"></saml:SubjectConfirmation>";
 			subjectStr += "</saml:Subject>";
         }
@@ -226,7 +226,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 			if (settings.getWantNameIdEncrypted()) {
 				nameIDPolicyFormat = Constants.NAMEID_ENCRYPTED;
 			}
-			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + nameIDPolicyFormat + "\" AllowCreate=\"true\" />";
+			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\" AllowCreate=\"true\" />";
 		}
 		valueMap.put("nameIDPolicyStr", nameIDPolicyStr);
 
@@ -235,25 +235,25 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		if (organization != null) {
 			String displayName = organization.getOrgDisplayName();
 			if (!displayName.isEmpty()) {
-				providerStr = " ProviderName=\""+ displayName + "\""; 
+				providerStr = " ProviderName=\""+ Util.toXml(displayName) + "\""; 
 			}
 		}
 		valueMap.put("providerStr", providerStr);
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
-		valueMap.put("id", String.valueOf(id));
-		valueMap.put("assertionConsumerServiceURL", String.valueOf(settings.getSpAssertionConsumerServiceUrl()));
-		valueMap.put("protocolBinding", settings.getSpAssertionConsumerServiceBinding());
-		valueMap.put("spEntityid", settings.getSpEntityId());
+		valueMap.put("id", Util.toXml(String.valueOf(id)));
+		valueMap.put("assertionConsumerServiceURL", Util.toXml(String.valueOf(settings.getSpAssertionConsumerServiceUrl())));
+		valueMap.put("protocolBinding", Util.toXml(settings.getSpAssertionConsumerServiceBinding()));
+		valueMap.put("spEntityid", Util.toXml(settings.getSpEntityId()));
 
 		String requestedAuthnContextStr = "";
 		List<String> requestedAuthnContexts = settings.getRequestedAuthnContext();
 		if (requestedAuthnContexts != null && !requestedAuthnContexts.isEmpty()) {
 			String requestedAuthnContextCmp = settings.getRequestedAuthnContextComparison();
-			requestedAuthnContextStr = "<samlp:RequestedAuthnContext Comparison=\"" + requestedAuthnContextCmp + "\">";
+			requestedAuthnContextStr = "<samlp:RequestedAuthnContext Comparison=\"" + Util.toXml(requestedAuthnContextCmp) + "\">";
 			for (String requestedAuthnContext : requestedAuthnContexts) {
-				requestedAuthnContextStr += "<saml:AuthnContextClassRef>" + requestedAuthnContext + "</saml:AuthnContextClassRef>";
+				requestedAuthnContextStr += "<saml:AuthnContextClassRef>" + Util.toXml(requestedAuthnContext) + "</saml:AuthnContextClassRef>";
 			}
 			requestedAuthnContextStr += "</samlp:RequestedAuthnContext>";
 		}

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -294,19 +294,19 @@ public String getLogoutRequestXml() {
 	private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		Map<String, String> valueMap = new HashMap<String, String>();
 
-		valueMap.put("id", id);		
+		valueMap.put("id", Util.toXml(id));		
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
 
 		String destinationStr = "";
 		URL slo =  settings.getIdpSingleLogoutServiceUrl();
 		if (slo != null) {
-			destinationStr = " Destination=\"" + slo.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(slo.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
-		valueMap.put("issuer", settings.getSpEntityId());
+		valueMap.put("issuer", Util.toXml(settings.getSpEntityId()));
 
 		String nameIdFormat = null;
 		String spNameQualifier = this.nameIdSPNameQualifier;
@@ -349,7 +349,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 
 		String sessionIndexStr = "";
 		if (sessionIndex != null) {
-			sessionIndexStr = " <samlp:SessionIndex>" + sessionIndex + "</samlp:SessionIndex>";
+			sessionIndexStr = " <samlp:SessionIndex>" + Util.toXml(sessionIndex) + "</samlp:SessionIndex>";
 		}
 		valueMap.put("sessionIndexStr", sessionIndexStr);
 

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

@@ -421,31 +421,31 @@ protected String postProcessXml(final String logoutResponseXml, final Saml2Setti
 	private StrSubstitutor generateSubstitutor(Saml2Settings settings, String statusCode) {
 		Map<String, String> valueMap = new HashMap<String, String>();
 
-		valueMap.put("id", id);
+		valueMap.put("id", Util.toXml(id));
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
 
 		String destinationStr = "";
 		URL slo =  settings.getIdpSingleLogoutServiceResponseUrl();
 		if (slo != null) {
-			destinationStr = " Destination=\"" + slo.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(slo.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
 		String inResponseStr = "";
 		if (inResponseTo != null) {
-			inResponseStr = " InResponseTo=\"" + inResponseTo + "\"";
+			inResponseStr = " InResponseTo=\"" + Util.toXml(inResponseTo) + "\"";
 		}
 		valueMap.put("inResponseStr", inResponseStr);		
 
 		String statusStr = "";
 		if (statusCode != null) {
-			statusStr = "Value=\"" + statusCode + "\"";
+			statusStr = "Value=\"" + Util.toXml(statusCode) + "\"";
 		}
 		valueMap.put("statusStr", statusStr);
 
-		valueMap.put("issuer", settings.getSpEntityId());
+		valueMap.put("issuer", Util.toXml(settings.getSpEntityId()));
 
 		return new StrSubstitutor(valueMap);
 	}

core/src/main/java/com/onelogin/saml2/settings/Metadata.java

@@ -1,5 +1,7 @@
 package com.onelogin.saml2.settings;
 
+import static com.onelogin.saml2.util.Util.toXml;
+
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -146,7 +148,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws Certif
 		Map<String, String> valueMap = new HashMap<String, String>();
 		Boolean wantsEncrypted = settings.getWantAssertionsEncrypted() || settings.getWantNameIdEncrypted();
 
-		valueMap.put("id", Util.generateUniqueID(settings.getUniqueIDPrefix()));
+		valueMap.put("id", Util.toXml(Util.generateUniqueID(settings.getUniqueIDPrefix())));
 		String validUntilTimeStr = "";
 		if (validUntilTime != null) {
 			String validUntilTimeValue = Util.formatDateTime(validUntilTime.getTimeInMillis());
@@ -161,12 +163,12 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws Certif
 		}
 		valueMap.put("cacheDurationStr", cacheDurationStr);
 
-		valueMap.put("spEntityId", settings.getSpEntityId());
+		valueMap.put("spEntityId", Util.toXml(settings.getSpEntityId()));
 		valueMap.put("strAuthnsign", String.valueOf(settings.getAuthnRequestsSigned()));
 		valueMap.put("strWsign", String.valueOf(settings.getWantAssertionsSigned()));
-		valueMap.put("spNameIDFormat", settings.getSpNameIDFormat());
-		valueMap.put("spAssertionConsumerServiceBinding", settings.getSpAssertionConsumerServiceBinding());
-		valueMap.put("spAssertionConsumerServiceUrl", settings.getSpAssertionConsumerServiceUrl().toString());
+		valueMap.put("spNameIDFormat", Util.toXml(settings.getSpNameIDFormat()));
+		valueMap.put("spAssertionConsumerServiceBinding", Util.toXml(settings.getSpAssertionConsumerServiceBinding()));
+		valueMap.put("spAssertionConsumerServiceUrl", Util.toXml(settings.getSpAssertionConsumerServiceUrl().toString()));
 		valueMap.put("sls", toSLSXml(settings.getSpSingleLogoutServiceUrl(), settings.getSpSingleLogoutServiceBinding()));
 
 		valueMap.put("strAttributeConsumingService", getAttributeConsumingServiceXml());
@@ -218,10 +220,10 @@ private String getAttributeConsumingServiceXml() {
 
 			attributeConsumingServiceXML.append("<md:AttributeConsumingService index=\"1\">");
 			if (serviceName != null && !serviceName.isEmpty()) {
-				attributeConsumingServiceXML.append("<md:ServiceName xml:lang=\"en\">" + serviceName + "</md:ServiceName>");
+				attributeConsumingServiceXML.append("<md:ServiceName xml:lang=\"en\">" + Util.toXml(serviceName) + "</md:ServiceName>");
 			}
 			if (serviceDescription != null && !serviceDescription.isEmpty()) {
-				attributeConsumingServiceXML.append("<md:ServiceDescription xml:lang=\"en\">" + serviceDescription + "</md:ServiceDescription>");
+				attributeConsumingServiceXML.append("<md:ServiceDescription xml:lang=\"en\">" + Util.toXml(serviceDescription) + "</md:ServiceDescription>");
 			}
 			if (requestedAttributes != null && !requestedAttributes.isEmpty()) {
 				for (RequestedAttribute requestedAttribute : requestedAttributes) {
@@ -234,15 +236,15 @@ private String getAttributeConsumingServiceXml() {
 					String contentStr = "<md:RequestedAttribute";
 
 					if (name != null && !name.isEmpty()) {
-						contentStr += " Name=\"" + name + "\"";
+						contentStr += " Name=\"" + Util.toXml(name) + "\"";
 					}
 
 					if (nameFormat != null && !nameFormat.isEmpty()) {
-						contentStr += " NameFormat=\"" + nameFormat + "\"";
+						contentStr += " NameFormat=\"" + Util.toXml(nameFormat) + "\"";
 					}
 
 					if (friendlyName != null && !friendlyName.isEmpty()) {
-						contentStr += " FriendlyName=\"" + friendlyName + "\"";
+						contentStr += " FriendlyName=\"" + Util.toXml(friendlyName) + "\"";
 					}
 
 					if (isRequired != null) {
@@ -252,7 +254,7 @@ private String getAttributeConsumingServiceXml() {
 					if (attrValues != null && !attrValues.isEmpty()) {
 						contentStr += ">";
 						for (String attrValue : attrValues) {
-							contentStr += "<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" + attrValue + "</saml:AttributeValue>";
+							contentStr += "<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" + Util.toXml(attrValue) + "</saml:AttributeValue>";
 						}
 						attributeConsumingServiceXML.append(contentStr + "</md:RequestedAttribute>");
 					} else {
@@ -276,9 +278,9 @@ private String toContactsXml(List<Contact> contacts) {
 		StringBuilder contactsXml = new StringBuilder();
 
 		for (Contact contact : contacts) {
-			contactsXml.append("<md:ContactPerson contactType=\"" + contact.getContactType() + "\">");
-			contactsXml.append("<md:GivenName>" + contact.getGivenName() + "</md:GivenName>");
-			contactsXml.append("<md:EmailAddress>" + contact.getEmailAddress() + "</md:EmailAddress>");
+			contactsXml.append("<md:ContactPerson contactType=\"" + Util.toXml(contact.getContactType()) + "\">");
+			contactsXml.append("<md:GivenName>" + Util.toXml(contact.getGivenName()) + "</md:GivenName>");
+			contactsXml.append("<md:EmailAddress>" + Util.toXml(contact.getEmailAddress()) + "</md:EmailAddress>");
 			contactsXml.append("</md:ContactPerson>");
 		}
 
@@ -296,10 +298,10 @@ private String toOrganizationXml(Organization organization) {
 
 		if (organization != null) {
 			String lang = organization.getOrgLangAttribute();
-			orgXml = "<md:Organization><md:OrganizationName xml:lang=\"" + lang + "\">" + organization.getOrgName()
-					+ "</md:OrganizationName><md:OrganizationDisplayName xml:lang=\"" + lang + "\">"
-					+ organization.getOrgDisplayName() + "</md:OrganizationDisplayName><md:OrganizationURL xml:lang=\""
-					+ lang + "\">" + organization.getOrgUrl() + "</md:OrganizationURL></md:Organization>";
+			orgXml = "<md:Organization><md:OrganizationName xml:lang=\"" + Util.toXml(lang) + "\">" + Util.toXml(organization.getOrgName())
+					+ "</md:OrganizationName><md:OrganizationDisplayName xml:lang=\"" + Util.toXml(lang) + "\">"
+					+ Util.toXml(organization.getOrgDisplayName()) + "</md:OrganizationDisplayName><md:OrganizationURL xml:lang=\""
+					+ Util.toXml(lang) + "\">" + Util.toXml(organization.getOrgUrl()) + "</md:OrganizationURL></md:Organization>";
 		}
 		return orgXml;
 	}
@@ -363,8 +365,8 @@ private String toSLSXml(URL spSingleLogoutServiceUrl, String spSingleLogoutServi
 		StringBuilder slsXml = new StringBuilder();
 
 		if (spSingleLogoutServiceUrl != null) {
-			slsXml.append("<md:SingleLogoutService Binding=\"" + spSingleLogoutServiceBinding + "\"");
-			slsXml.append(" Location=\"" + spSingleLogoutServiceUrl.toString() + "\"/>");
+			slsXml.append("<md:SingleLogoutService Binding=\"" + Util.toXml(spSingleLogoutServiceBinding) + "\"");
+			slsXml.append(" Location=\"" + Util.toXml(spSingleLogoutServiceUrl.toString()) + "\"/>");
 		}
 		return slsXml.toString();
 	}

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -63,9 +63,9 @@
 import javax.xml.xpath.XPathFactory;
 import javax.xml.xpath.XPathFactoryConfigurationException;
 
-import com.onelogin.saml2.model.hsm.HSM;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.EncryptedKey;
@@ -95,6 +95,7 @@
 import com.onelogin.saml2.exception.ValidationError;
 import com.onelogin.saml2.exception.XMLEntityException;
 import com.onelogin.saml2.model.SamlResponseStatus;
+import com.onelogin.saml2.model.hsm.HSM;
 
 
 /**
@@ -445,7 +446,7 @@ public static String convertDocumentToString(Document doc, Boolean c14n) {
 	 * @return the Document object
 	 */
 	public static String convertDocumentToString(Document doc) {
-		return convertDocumentToString(doc, false);
+		 return convertDocumentToString(doc, false);
 	}
 
 	/**
@@ -1976,6 +1977,17 @@ public static DateTime parseDateTime(String dateTime) {
 		}
 		return parsedData;
 	}
+	
+	/**
+	 * Escape a text so that it can be safely used within an XML element contents or attribute value.
+	 * 
+	 * @param text 
+	 * 				the text to escape
+	 * @return the escaped text (<code>null</code> if the input is <code>null</code>)
+	 */
+	public static String toXml(String text) {
+		return StringEscapeUtils.escapeXml10(text);
+	}
 
 	private static String toStringUtf8(byte[] bytes) {
 		try {