From 01c5e284d743e5a6cf9139d5c2cc921d51c73cc8 Mon Sep 17 00:00:00 2001
From: Michael Andres <ma@suse.de>
Date: Thu, 21 Nov 2013 09:12:46 +0100
Subject: [PATCH] Filter control chars illegal in XML1.0 (bnc#850907)

---
 zypp/parser/xml/XmlEscape.cc | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/zypp/parser/xml/XmlEscape.cc b/zypp/parser/xml/XmlEscape.cc
index 8994561..e30c6b4 100644
--- a/zypp/parser/xml/XmlEscape.cc
+++ b/zypp/parser/xml/XmlEscape.cc
@@ -39,20 +39,30 @@ namespace iobind
     {
       std::string escape(const std::string &istr) const
       {
-	size_t i;
-	std::string str = istr;
-	i = str.find_first_of("<>&'\"");
-	while (i != std::string::npos)
+	typedef unsigned char uchar;
+
+	std::string str( istr );
+        for_( i, size_t(0), str.size() )
 	{
 	  switch (str[i])
 	  {
 	    case '<': str.replace(i, 1, "&lt;"); i += 3; break;
 	    case '>': str.replace(i, 1, "&gt;"); i += 3; break;
 	    case '&': str.replace(i, 1, "&amp;"); i += 4; break;
-	    case '\'': str.replace(i, 1, "&apos;"); i += 5; break;
 	    case '"': str.replace(i, 1, "&quot;"); i += 5; break;
+	    case '\'': str.replace(i, 1, "&apos;"); i += 5; break;
+
+	    // control chars we allow:
+	    case '\n':
+	    case '\r':
+	    case '\t':
+	      break;
+
+	    default:
+	      if ( uchar(str[i]) < 32u )
+		str[i] = '?'; // filter problematic control chars (XML1.0)
+	      break;
 	  }
-	  i = str.find_first_of("<>&'\"", i + 1);
 	}
 	return str;
       }
-- 
2.7.4