NSString: Use SecurityElement.Escape to escape XML characters

2025-12-16 11:04:26 +00:00 · 2025-01-08 20:47:15 +01:00
parent a0b698a815
commit 0e334f995d
2 changed files with 32 additions and 11 deletions
--- a/plist-cil.test/NSStringTests.cs
+++ b/plist-cil.test/NSStringTests.cs
@@ -0,0 +1,29 @@
+using Claunia.PropertyList;
+using Xunit;
+
+namespace plistcil.test
+{
+    public class NSStringTests
+    {
+        const string START_TOKEN = "<string>";
+        const string END_TOKEN = "</string>";
+
+        [InlineData("abc", "abc")]
+        [InlineData("a>b", "a&gt;b")]
+        [InlineData("a<b", "a&lt;b")]
+        [InlineData("a&b", "a&amp;b")]
+        [Theory]
+        public void Content_IsEscaped(string value, string content)
+        {
+            var element = new NSString(value);
+            string xml = element.ToXmlPropertyList();
+
+            // Strip the leading and trailing data, so we just get the string element itself
+            int start = xml.IndexOf(START_TOKEN) + START_TOKEN.Length;
+            int end = xml.IndexOf(END_TOKEN);
+            string actualContent = xml.Substring(start, end - start);
+
+            Assert.Equal(content, actualContent);
+        }
+    }
+}
--- a/plist-cil/NSString.cs
+++ b/plist-cil/NSString.cs
@@ -1,4 +1,4 @@
-// plist-cil - An open source library to parse and generate property lists for .NET
+// plist-cil - An open source library to parse and generate property lists for .NET
 // Copyright (C) 2015 Natalia Portillo
 //
 // This code is based on:
@@ -24,6 +24,7 @@
 // SOFTWARE.

 using System;
+using System.Security;
 using System.Text;

 namespace Claunia.PropertyList
@@ -136,16 +137,7 @@ namespace Claunia.PropertyList

            //According to http://www.w3.org/TR/REC-xml/#syntax node values must not
            //contain the characters < or &. Also the > character should be escaped.
-            if(Content.Contains("&") ||
-               Content.Contains("<") ||
-               Content.Contains(">"))
-            {
-                xml.Append("<![CDATA[");
-                xml.Append(Content.Replace("]]>", "]]]]><![CDATA[>"));
-                xml.Append("]]>");
-            }
-            else
-                xml.Append(Content);
+            xml.Append(SecurityElement.Escape(Content));

            xml.Append("</string>");
        }