Re: CFXMLCreateStringByUnescapingEntities() bombs on "�"
Re: CFXMLCreateStringByUnescapingEntities() bombs on "�"
- Subject: Re: CFXMLCreateStringByUnescapingEntities() bombs on "�"
- From: Jens Alfke <email@hidden>
- Date: Tue, 25 Mar 2014 11:12:40 -0700
On Mar 25, 2014, at 10:49 AM, Quincey Morris <email@hidden> wrote:
> I agree this is probably a bug in CFXMLCreateStringByUnescapingEntities. It seems to have assumed a missing ‘;’ at the end of an otherwise valid escaped character entity. It probably shouldn’t make this assumption.
Allowing a missing semicolon seems like the kind of leniency that’s required in real-world HTML parsing. But it shouldn’t be happening in a function that operates on XML.
> However, I also see this as a bug in your code, since you’re accepting “random” user input as formatted text (i.e. escaped HTML) without validation. That sort of assumption makes you prone to exploding bugs like your Core Data crash. It’s similar to buffer overflow bugs, in that not only can it cause crashes but also it can compromise system security.
I agree — it seems like the 32-bit equivalent of the more common mistake of accepting an input blob containing text without first checking that it’s valid UTF-8. I did that once, and after debugging the resulting file corruption bug I made this sign to stick on my monitor: http://mooseyard.com/Pictures/UntrustedUTF8.png
Now, what method/function should we use to validate that an NSString actually contains valid Unicode code points?
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden