miniflux/internal/reader/xml/decoder.go

// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package xml // import "miniflux.app/v2/internal/reader/xml"

import (
	"bytes"
	"encoding/xml"
	"fmt"
	"io"
	"strings"

	"miniflux.app/v2/internal/reader/encoding"
)

// NewDecoder returns a XML decoder that filters illegal characters.
func NewDecoder(data io.Reader) *xml.Decoder {
	var decoder *xml.Decoder
	buffer, _ := io.ReadAll(data)
	enc := procInst("encoding", string(buffer))
	if enc != "" && enc != "utf-8" && enc != "UTF-8" && !strings.EqualFold(enc, "utf-8") {
		// filter invalid chars later within decoder.CharsetReader
		decoder = xml.NewDecoder(bytes.NewReader(buffer))
	} else {
		// filter invalid chars now, since decoder.CharsetReader not called for utf-8 content
		filteredBytes := bytes.Map(filterValidXMLChar, buffer)
		decoder = xml.NewDecoder(bytes.NewReader(filteredBytes))
	}

	decoder.Entity = xml.HTMLEntity
	decoder.Strict = false
	decoder.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) {
		utf8Reader, err := encoding.CharsetReader(charset, input)
		if err != nil {
			return nil, err
		}
		rawData, err := io.ReadAll(utf8Reader)
		if err != nil {
			return nil, fmt.Errorf("Unable to read data: %q", err)
		}
		filteredBytes := bytes.Map(filterValidXMLChar, rawData)
		return bytes.NewReader(filteredBytes), nil
	}

	return decoder
}

// This function is copied from encoding/xml package,
// and is used to check if all the characters are legal.
func filterValidXMLChar(r rune) rune {
	if r == 0x09 ||
		r == 0x0A ||
		r == 0x0D ||
		r >= 0x20 && r <= 0xD7FF ||
		r >= 0xE000 && r <= 0xFFFD ||
		r >= 0x10000 && r <= 0x10FFFF {
		return r
	}
	return -1
}

// This function is copied from encoding/xml package,
// procInst parses the `param="..."` or `param='...'`
// value out of the provided string, returning "" if not found.
func procInst(param, s string) string {
	// TODO: this parsing is somewhat lame and not exact.
	// It works for all actual cases, though.
	param = param + "="
	idx := strings.Index(s, param)
	if idx == -1 {
		return ""
	}
	v := s[idx+len(param):]
	if v == "" {
		return ""
	}
	if v[0] != '\'' && v[0] != '"' {
		return ""
	}
	idx = strings.IndexRune(v[1:], rune(v[0]))
	if idx == -1 {
		return ""
	}
	return v[1 : idx+1]
}
Replace copyright header with SPDX identifier 2023-06-19 23:42:47 +02:00			`// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00
Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages 2023-08-11 04:46:45 +02:00			`package xml // import "miniflux.app/v2/internal/reader/xml"`
Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00
			`import (`
			`"bytes"`
			`"encoding/xml"`
			`"fmt"`
			`"io"`
Filter valid XML characters for UTF-8 XML documents before decoding This change should reduce "illegal character code" XML errors. 2019-12-20 03:31:52 +01:00			`"strings"`
Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00
Move internal packages to an internal folder For reference: https://go.dev/doc/go1.4#internalpackages 2023-08-11 04:46:45 +02:00			`"miniflux.app/v2/internal/reader/encoding"`
Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00			`)`

			`// NewDecoder returns a XML decoder that filters illegal characters.`
			`func NewDecoder(data io.Reader) *xml.Decoder {`
Filter valid XML characters for UTF-8 XML documents before decoding This change should reduce "illegal character code" XML errors. 2019-12-20 03:31:52 +01:00			`var decoder *xml.Decoder`
Remove deprecated io/ioutil package Miniflux now requires at least Go 1.16 and io/util is deprecated. https://golang.org/doc/go1.16#ioutil 2021-02-17 06:19:03 +01:00			`buffer, _ := io.ReadAll(data)`
Filter valid XML characters for UTF-8 XML documents before decoding This change should reduce "illegal character code" XML errors. 2019-12-20 03:31:52 +01:00			`enc := procInst("encoding", string(buffer))`
			`if enc != "" && enc != "utf-8" && enc != "UTF-8" && !strings.EqualFold(enc, "utf-8") {`
			`// filter invalid chars later within decoder.CharsetReader`
			`decoder = xml.NewDecoder(bytes.NewReader(buffer))`
			`} else {`
			`// filter invalid chars now, since decoder.CharsetReader not called for utf-8 content`
			`filteredBytes := bytes.Map(filterValidXMLChar, buffer)`
			`decoder = xml.NewDecoder(bytes.NewReader(filteredBytes))`
			`}`

Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00			`decoder.Entity = xml.HTMLEntity`
			`decoder.Strict = false`
			`decoder.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) {`
			`utf8Reader, err := encoding.CharsetReader(charset, input)`
			`if err != nil {`
			`return nil, err`
			`}`
Remove deprecated io/ioutil package Miniflux now requires at least Go 1.16 and io/util is deprecated. https://golang.org/doc/go1.16#ioutil 2021-02-17 06:19:03 +01:00			`rawData, err := io.ReadAll(utf8Reader)`
Improve XML decoder to remove illegal characters 2019-10-23 05:27:27 +02:00			`if err != nil {`
			`return nil, fmt.Errorf("Unable to read data: %q", err)`
			`}`
			`filteredBytes := bytes.Map(filterValidXMLChar, rawData)`
			`return bytes.NewReader(filteredBytes), nil`
			`}`

			`return decoder`
			`}`

			`// This function is copied from encoding/xml package,`
			`// and is used to check if all the characters are legal.`
			`func filterValidXMLChar(r rune) rune {`
			`if r == 0x09 \|\|`
			`r == 0x0A \|\|`
			`r == 0x0D \|\|`
			`r >= 0x20 && r <= 0xD7FF \|\|`
			`r >= 0xE000 && r <= 0xFFFD \|\|`
			`r >= 0x10000 && r <= 0x10FFFF {`
			`return r`
			`}`
			`return -1`
			`}`
Filter valid XML characters for UTF-8 XML documents before decoding This change should reduce "illegal character code" XML errors. 2019-12-20 03:31:52 +01:00
			`// This function is copied from encoding/xml package,`
			// procInst parses the `param="..."` or `param='...'`
			`// value out of the provided string, returning "" if not found.`
			`func procInst(param, s string) string {`
			`// TODO: this parsing is somewhat lame and not exact.`
			`// It works for all actual cases, though.`
			`param = param + "="`
			`idx := strings.Index(s, param)`
			`if idx == -1 {`
			`return ""`
			`}`
			`v := s[idx+len(param):]`
			`if v == "" {`
			`return ""`
			`}`
			`if v[0] != '\'' && v[0] != '"' {`
			`return ""`
			`}`
			`idx = strings.IndexRune(v[1:], rune(v[0]))`
			`if idx == -1 {`
			`return ""`
			`}`
			`return v[1 : idx+1]`
			`}`