Skip to content

Commit

Permalink
fix: Terminate if SVG data includes a script tag (GHSA-cf4q-4cqr-7g7w)
Browse files Browse the repository at this point in the history
  • Loading branch information
kesara committed Apr 12, 2022
1 parent 3badf55 commit df99f94
Show file tree
Hide file tree
Showing 13 changed files with 56 additions and 38 deletions.
2 changes: 1 addition & 1 deletion tests/valid/docfile.py36.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
<thead><tr>
<td class="left"></td>
<td class="center">Xml2rfc Vocabulary V3 Schema</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">xml2rfc(1)</td>
Expand Down
2 changes: 1 addition & 1 deletion tests/valid/docfile.py37.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
<thead><tr>
<td class="left"></td>
<td class="center">Xml2rfc Vocabulary V3 Schema</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">xml2rfc(1)</td>
Expand Down
2 changes: 1 addition & 1 deletion tests/valid/docfile.py38.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
<thead><tr>
<td class="left"></td>
<td class="center">Xml2rfc Vocabulary V3 Schema</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">xml2rfc(1)</td>
Expand Down
2 changes: 1 addition & 1 deletion tests/valid/elements.prepped.xml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="info" docName="elements-00" indexInclude="false" ipr="trust200902" obsoletes="1234,5678,9012,3456,7890" prepTime="2021-10-08T15:41:57" scripts="Cherokee,Common,Greek,Han,Hebrew,Latin" sortRefs="true" submissionType="independent" symRefs="true" tocDepth="3" tocInclude="true">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="info" docName="elements-00" indexInclude="false" ipr="trust200902" obsoletes="1234,5678,9012,3456,7890" prepTime="2022-04-12T02:25:45" scripts="Cherokee,Common,Greek,Han,Hebrew,Latin" sortRefs="true" submissionType="independent" symRefs="true" tocDepth="3" tocInclude="true">



Expand Down
16 changes: 8 additions & 8 deletions tests/valid/indexes.pages.text
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@


Network Working Group H. Person, Ed.
Internet-Draft March 11, 2022
Internet-Draft April 12, 2022
Intended status: Experimental
Expires: September 12, 2022
Expires: October 14, 2022


xml2rfc index tests
Expand All @@ -26,7 +26,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 12, 2022.
This Internet-Draft will expire on October 14, 2022.

Copyright Notice

Expand All @@ -53,9 +53,9 @@ Table of Contents



Person Expires September 12, 2022 [Page 1]
Person Expires October 14, 2022 [Page 1]

Internet-Draft xml2rfc index tests March 2022
Internet-Draft xml2rfc index tests April 2022


This is another section!
Expand Down Expand Up @@ -109,9 +109,9 @@ Index



Person Expires September 12, 2022 [Page 2]
Person Expires October 14, 2022 [Page 2]

Internet-Draft xml2rfc index tests March 2022
Internet-Draft xml2rfc index tests April 2022


em Section 1, Paragraph 1
Expand Down Expand Up @@ -165,4 +165,4 @@ Author's Address



Person Expires September 12, 2022 [Page 3]
Person Expires October 14, 2022 [Page 3]
6 changes: 3 additions & 3 deletions tests/valid/indexes.prepped.xml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="exp" docName="indexes-00" indexInclude="true" ipr="trust200902" prepTime="2022-03-11T00:41:46" scripts="Common,Latin" sortRefs="true" submissionType="independent" symRefs="true" tocDepth="3" tocInclude="true">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="exp" docName="indexes-00" indexInclude="true" ipr="trust200902" prepTime="2022-04-12T02:27:13" scripts="Common,Latin" sortRefs="true" submissionType="independent" symRefs="true" tocDepth="3" tocInclude="true">
<!-- xml2rfc v2v3 conversion 3.12.3 -->


Expand All @@ -20,7 +20,7 @@
</postal>
</address>
</author>
<date day="11" month="03" year="2022"/>
<date day="12" month="04" year="2022"/>
<boilerplate>
<section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
<name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
Expand All @@ -41,7 +41,7 @@
material or to cite them other than as "work in progress."
</t>
<t indent="0" pn="section-boilerplate.1-4">
This Internet-Draft will expire on 12 September 2022.
This Internet-Draft will expire on 14 October 2022.
</t>
</section>
<section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
Expand Down
6 changes: 3 additions & 3 deletions tests/valid/indexes.text
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@


Network Working Group H. Person, Ed.
Internet-Draft March 11, 2022
Internet-Draft April 12, 2022
Intended status: Experimental
Expires: September 12, 2022
Expires: October 14, 2022


xml2rfc index tests
Expand All @@ -26,7 +26,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on September 12, 2022.
This Internet-Draft will expire on October 14, 2022.

Copyright Notice

Expand Down
10 changes: 5 additions & 5 deletions tests/valid/indexes.v3.py36.html
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">xml2rfc index tests</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Person</td>
<td class="center">Expires September 12, 2022</td>
<td class="center">Expires October 14, 2022</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
Expand All @@ -36,12 +36,12 @@
<dd class="internet-draft">indexes-00</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-03-11" class="published">March 11, 2022</time>
<time datetime="2022-04-12" class="published">April 12, 2022</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Experimental</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2022-09-12">September 12, 2022</time></dd>
<dd class="expires"><time datetime="2022-10-14">October 14, 2022</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
Expand Down Expand Up @@ -71,7 +71,7 @@ <h2 id="name-status-of-this-memo">
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on September 12, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on October 14, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
Expand Down
10 changes: 5 additions & 5 deletions tests/valid/indexes.v3.py37.html
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">xml2rfc index tests</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Person</td>
<td class="center">Expires September 12, 2022</td>
<td class="center">Expires October 14, 2022</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
Expand All @@ -36,12 +36,12 @@
<dd class="internet-draft">indexes-00</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-03-11" class="published">March 11, 2022</time>
<time datetime="2022-04-12" class="published">April 12, 2022</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Experimental</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2022-09-12">September 12, 2022</time></dd>
<dd class="expires"><time datetime="2022-10-14">October 14, 2022</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
Expand Down Expand Up @@ -71,7 +71,7 @@ <h2 id="name-status-of-this-memo">
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on September 12, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on October 14, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
Expand Down
10 changes: 5 additions & 5 deletions tests/valid/indexes.v3.py38.html
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@
<thead><tr>
<td class="left">Internet-Draft</td>
<td class="center">xml2rfc index tests</td>
<td class="right">March 2022</td>
<td class="right">April 2022</td>
</tr></thead>
<tfoot><tr>
<td class="left">Person</td>
<td class="center">Expires September 12, 2022</td>
<td class="center">Expires October 14, 2022</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
Expand All @@ -36,12 +36,12 @@
<dd class="internet-draft">indexes-00</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2022-03-11" class="published">March 11, 2022</time>
<time datetime="2022-04-12" class="published">April 12, 2022</time>
</dd>
<dt class="label-intended-status">Intended Status:</dt>
<dd class="intended-status">Experimental</dd>
<dt class="label-expires">Expires:</dt>
<dd class="expires"><time datetime="2022-09-12">September 12, 2022</time></dd>
<dd class="expires"><time datetime="2022-10-14">October 14, 2022</time></dd>
<dt class="label-authors">Author:</dt>
<dd class="authors">
<div class="author">
Expand Down Expand Up @@ -71,7 +71,7 @@ <h2 id="name-status-of-this-memo">
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow"></a></p>
<p id="section-boilerplate.1-4">
This Internet-Draft will expire on September 12, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
This Internet-Draft will expire on October 14, 2022.<a href="#section-boilerplate.1-4" class="pilcrow"></a></p>
</section>
</div>
<div id="copyright">
Expand Down
2 changes: 1 addition & 1 deletion tests/valid/manpage.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
xml2rfc(1) xml2rfc(1)
11 March 2022
12 April 2022


Xml2rfc Vocabulary Version 3 Schema
Expand Down
6 changes: 3 additions & 3 deletions tests/valid/rfc6787.exp.xml
Original file line number Diff line number Diff line change
Expand Up @@ -11141,7 +11141,7 @@ identification-tag = token
<references title="Normative References">
<!--RTP-->

<reference anchor="RFC3550" target="https://www.rfc-editor.org/info/rfc3550" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3550.xml" quote-title="true">
<reference anchor="RFC3550" target="https://www.rfc-editor.org/info/rfc3550" xml:base="https://www.rfc-editor.org/refs/bibxml/reference.RFC.3550.xml" quote-title="true">
<front>
<title>RTP: A Transport Protocol for Real-Time Applications</title>
<author initials="H." surname="Schulzrinne" fullname="H. Schulzrinne"><organization/></author>
Expand Down Expand Up @@ -11338,7 +11338,7 @@ identification-tag = token

<!--Internet Message Format-->

<reference anchor="RFC5322" target="https://www.rfc-editor.org/info/rfc5322" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5322.xml" quote-title="true">
<reference anchor="RFC5322" target="https://www.rfc-editor.org/info/rfc5322" xml:base="https://www.rfc-editor.org/refs/bibxml/reference.RFC.5322.xml" quote-title="true">
<front>
<title>Internet Message Format</title>
<author initials="P." surname="Resnick" fullname="P. Resnick" role="editor"><organization/></author>
Expand Down Expand Up @@ -11420,7 +11420,7 @@ identification-tag = token

<!--Domain names - implementation and specification-->

<reference anchor="RFC1035" target="https://www.rfc-editor.org/info/rfc1035" xml:base="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml" quote-title="true">
<reference anchor="RFC1035" target="https://www.rfc-editor.org/info/rfc1035" xml:base="https://www.rfc-editor.org/refs/bibxml/reference.RFC.1035.xml" quote-title="true">
<front>
<title>Domain names - implementation and specification</title>
<author initials="P.V." surname="Mockapetris" fullname="P.V. Mockapetris"><organization/></author>
Expand Down
20 changes: 19 additions & 1 deletion xml2rfc/writers/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@
bare_latin_tags, unicode_attributes, downcode, downcode_punctuation)
from xml2rfc.utils import namespaces, find_duplicate_ids, slugify


DEADLY_ERRORS = [
'Element svg has extra content: script',
'Did not expect element script there',
]

default_silenced_messages = [
# ".*[Pp]ostal address",
]
Expand Down Expand Up @@ -2136,6 +2142,15 @@ def indent(e, i):
indent(e, 0)
e.tail = None

def deadly_error(self, error):
# errors that xml2rfc must not allow to continue

if error.message in DEADLY_ERRORS:
if self.options.verbose:
msg = "%s(%s): Error: Can not continue further with error: %s" % (self.xmlrfc.source, error.line, error.message)
self.log(msg)
return True

def validate(self, when='', warn=False):
# Note: Our schema doesn't permit xi:include elements, so the document
# must have had XInclude processing done before calling validate()
Expand Down Expand Up @@ -2164,11 +2179,14 @@ def validate(self, when='', warn=False):
"higher for better error messages." % ('.'.join(str(v) for v in lxmlver), ))
# These warnings are occasionally incorrect -- disable this
# output for now:
deadly = False
if hasattr(e, 'error_log'):
for error in e.error_log:
path = getattr(error, 'path', '')
msg = "%s(%s): %s: %s, at %s" % (self.xmlrfc.source, error.line, error.level_name.title(), error.message, path)
self.log(msg)
if not deadly:
deadly = self.deadly_error(error)
if error.message.startswith("Did not expect text"):
items = self.tree.xpath(error.path + '/text()')
for item in items:
Expand All @@ -2179,7 +2197,7 @@ def validate(self, when='', warn=False):

else:
log.warn('\nInvalid document: %s' % (e,))
if warn:
if warn and not deadly:
self.warn(self.root, 'Invalid document%s.' % (when, ))
return False
else:
Expand Down

0 comments on commit df99f94

Please sign in to comment.