XML serialization does not escape special characters

[mickdekkers]

Hi @ballsteve, @Devasta, I'm reporting this as an issue on GitHub as discussed.

I noticed that the XML serialization in xrust doesn't seem to be escaping special characters like & and ". This can produce invalid syntax, but could also theoretically lead to XML injection attacks if someone passes malicious input to an application using xrust (e.g. if that application includes a parse -> serialize -> parse sequence somewhere). Practically speaking however, given the limited download count of the package, we believe it very unlikely that any application using xrust is written in such a way as to be vulnerable as a result of this issue, especially without it being noticed during development.

Example main.rs code:

use std::rc::Rc;
use xrust::parser::xml;
use xrust::trees::smite::Node as SmiteNode;
use xrust::Node;

fn main() {
    let input = r"
<doc attr='&apos;'>
    XML escape test: &lt; &gt; &amp; &apos; &quot;
</doc>";

    let doc = xml::parse(Rc::new(SmiteNode::new()), input, None).unwrap();
    println!("{}", doc.to_xml());
}

Outputs:

<doc attr='''>
  XML escape test: < > & ' "
</doc>

[ballsteve]

Thanks for the bug report, Mick. I'll take a look at this ASAP.

Maybe once bugs like this are fixed the download count will become more respectable ;-)

[Devasta]

So the current escaping is down by the transformation step, to allow us support disable-output-escaping, so we need to move that to the serialiser, but also support that.

The XSLT spec suggests the way to go about this is expand the data model with a Boolean to flag of the output is to be escaped or not, we can look into that approach?