Properly escape text to produce valid XML

The generation methods for metadata, AuthnRequest, LogoutRequest and
LogoutResponse XML documents and messages have been changed so that any
text that could be specified by the user is properly escaped in order to
produce a valid XML output: characters like &, ", < and > are then
replaced with the corresponding XML entities (&amp; &quot;, &lt;, &gt;).

The commons-lang StringEscapeUtils class has been used, although being
deprecated: the deprecation warning suggests to switch to an equivalent
class of commons-text, which java-saml currently does not depend on. I
leave the decision to possibly switch to it for future evaluation:
the escaping logic was indeed implemented in the Util class, so any
implementation change of it just needs to change Util.toXml(String)
method.

Closes #309 and #305.

Author: mauromol

core/src/main/java/com/onelogin/saml2/authn/AuthnRequest.java

@@ -186,15 +186,15 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		String destinationStr = "";
 		URL sso =  settings.getIdpSingleSignOnServiceUrl();
 		if (sso != null) {
-			destinationStr = " Destination=\"" + sso.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(sso.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
 		String subjectStr = "";
 		if (nameIdValueReq != null && !nameIdValueReq.isEmpty()) {
 			String nameIDFormat = settings.getSpNameIDFormat();
 			subjectStr = "<saml:Subject>";
-			subjectStr += "<saml:NameID Format=\"" + nameIDFormat + "\">" + nameIdValueReq + "</saml:NameID>";
+			subjectStr += "<saml:NameID Format=\"" + Util.toXml(nameIDFormat) + "\">" + Util.toXml(nameIdValueReq) + "</saml:NameID>";
 			subjectStr += "<saml:SubjectConfirmation Method=\"urn:oasis:names:tc:SAML:2.0:cm:bearer\"></saml:SubjectConfirmation>";
 			subjectStr += "</saml:Subject>";
         }
@@ -206,7 +206,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 			if (settings.getWantNameIdEncrypted()) {
 				nameIDPolicyFormat = Constants.NAMEID_ENCRYPTED;
 			}
-			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + nameIDPolicyFormat + "\" AllowCreate=\"true\" />";
+			nameIDPolicyStr = "<samlp:NameIDPolicy Format=\"" + Util.toXml(nameIDPolicyFormat) + "\" AllowCreate=\"true\" />";
 		}
 		valueMap.put("nameIDPolicyStr", nameIDPolicyStr);
 
@@ -215,25 +215,25 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		if (organization != null) {
 			String displayName = organization.getOrgDisplayName();
 			if (!displayName.isEmpty()) {
-				providerStr = " ProviderName=\""+ displayName + "\""; 
+				providerStr = " ProviderName=\""+ Util.toXml(displayName) + "\""; 
 			}
 		}
 		valueMap.put("providerStr", providerStr);
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
-		valueMap.put("id", String.valueOf(id));
-		valueMap.put("assertionConsumerServiceURL", String.valueOf(settings.getSpAssertionConsumerServiceUrl()));
-		valueMap.put("protocolBinding", settings.getSpAssertionConsumerServiceBinding());
-		valueMap.put("spEntityid", settings.getSpEntityId());
+		valueMap.put("id", Util.toXml(String.valueOf(id)));
+		valueMap.put("assertionConsumerServiceURL", Util.toXml(String.valueOf(settings.getSpAssertionConsumerServiceUrl())));
+		valueMap.put("protocolBinding", Util.toXml(settings.getSpAssertionConsumerServiceBinding()));
+		valueMap.put("spEntityid", Util.toXml(settings.getSpEntityId()));
 
 		String requestedAuthnContextStr = "";
 		List<String> requestedAuthnContexts = settings.getRequestedAuthnContext();
 		if (requestedAuthnContexts != null && !requestedAuthnContexts.isEmpty()) {
 			String requestedAuthnContextCmp = settings.getRequestedAuthnContextComparison();
-			requestedAuthnContextStr = "<samlp:RequestedAuthnContext Comparison=\"" + requestedAuthnContextCmp + "\">";
+			requestedAuthnContextStr = "<samlp:RequestedAuthnContext Comparison=\"" + Util.toXml(requestedAuthnContextCmp) + "\">";
 			for (String requestedAuthnContext : requestedAuthnContexts) {
-				requestedAuthnContextStr += "<saml:AuthnContextClassRef>" + requestedAuthnContext + "</saml:AuthnContextClassRef>";
+				requestedAuthnContextStr += "<saml:AuthnContextClassRef>" + Util.toXml(requestedAuthnContext) + "</saml:AuthnContextClassRef>";
 			}
 			requestedAuthnContextStr += "</samlp:RequestedAuthnContext>";
 		}

core/src/main/java/com/onelogin/saml2/logout/LogoutRequest.java

@@ -282,19 +282,19 @@ public String getLogoutRequestXml() {
 	private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 		Map<String, String> valueMap = new HashMap<String, String>();
 
-		valueMap.put("id", id);		
+		valueMap.put("id", Util.toXml(id));		
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
 
 		String destinationStr = "";
 		URL slo =  settings.getIdpSingleLogoutServiceUrl();
 		if (slo != null) {
-			destinationStr = " Destination=\"" + slo.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(slo.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
-		valueMap.put("issuer", settings.getSpEntityId());
+		valueMap.put("issuer", Util.toXml(settings.getSpEntityId()));
 
 		String nameIdFormat = null;
 		String spNameQualifier = this.nameIdSPNameQualifier;
@@ -337,7 +337,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) {
 
 		String sessionIndexStr = "";
 		if (sessionIndex != null) {
-			sessionIndexStr = " <samlp:SessionIndex>" + sessionIndex + "</samlp:SessionIndex>";
+			sessionIndexStr = " <samlp:SessionIndex>" + Util.toXml(sessionIndex) + "</samlp:SessionIndex>";
 		}
 		valueMap.put("sessionIndexStr", sessionIndexStr);
 

core/src/main/java/com/onelogin/saml2/logout/LogoutResponse.java

@@ -397,31 +397,31 @@ public void build() {
 	private StrSubstitutor generateSubstitutor(Saml2Settings settings, String statusCode) {
 		Map<String, String> valueMap = new HashMap<String, String>();
 
-		valueMap.put("id", id);
+		valueMap.put("id", Util.toXml(id));
 
 		String issueInstantString = Util.formatDateTime(issueInstant.getTimeInMillis());
 		valueMap.put("issueInstant", issueInstantString);
 
 		String destinationStr = "";
 		URL slo =  settings.getIdpSingleLogoutServiceResponseUrl();
 		if (slo != null) {
-			destinationStr = " Destination=\"" + slo.toString() + "\"";
+			destinationStr = " Destination=\"" + Util.toXml(slo.toString()) + "\"";
 		}
 		valueMap.put("destinationStr", destinationStr);
 
 		String inResponseStr = "";
 		if (inResponseTo != null) {
-			inResponseStr = " InResponseTo=\"" + inResponseTo + "\"";
+			inResponseStr = " InResponseTo=\"" + Util.toXml(inResponseTo) + "\"";
 		}
 		valueMap.put("inResponseStr", inResponseStr);		
 
 		String statusStr = "";
 		if (statusCode != null) {
-			statusStr = "Value=\"" + statusCode + "\"";
+			statusStr = "Value=\"" + Util.toXml(statusCode) + "\"";
 		}
 		valueMap.put("statusStr", statusStr);
 
-		valueMap.put("issuer", settings.getSpEntityId());
+		valueMap.put("issuer", Util.toXml(settings.getSpEntityId()));
 
 		return new StrSubstitutor(valueMap);
 	}

core/src/main/java/com/onelogin/saml2/settings/Metadata.java

@@ -1,5 +1,7 @@
 package com.onelogin.saml2.settings;
 
+import static com.onelogin.saml2.util.Util.toXml;
+
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -126,7 +128,7 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws Certif
 		Map<String, String> valueMap = new HashMap<String, String>();
 		Boolean wantsEncrypted = settings.getWantAssertionsEncrypted() || settings.getWantNameIdEncrypted();
 
-		valueMap.put("id", Util.generateUniqueID(settings.getUniqueIDPrefix()));
+		valueMap.put("id", Util.toXml(Util.generateUniqueID(settings.getUniqueIDPrefix())));
 		String validUntilTimeStr = "";
 		if (validUntilTime != null) {
 			String validUntilTimeValue = Util.formatDateTime(validUntilTime.getTimeInMillis());
@@ -141,12 +143,12 @@ private StrSubstitutor generateSubstitutor(Saml2Settings settings) throws Certif
 		}
 		valueMap.put("cacheDurationStr", cacheDurationStr);
 
-		valueMap.put("spEntityId", settings.getSpEntityId());
+		valueMap.put("spEntityId", Util.toXml(settings.getSpEntityId()));
 		valueMap.put("strAuthnsign", String.valueOf(settings.getAuthnRequestsSigned()));
 		valueMap.put("strWsign", String.valueOf(settings.getWantAssertionsSigned()));
-		valueMap.put("spNameIDFormat", settings.getSpNameIDFormat());
-		valueMap.put("spAssertionConsumerServiceBinding", settings.getSpAssertionConsumerServiceBinding());
-		valueMap.put("spAssertionConsumerServiceUrl", settings.getSpAssertionConsumerServiceUrl().toString());
+		valueMap.put("spNameIDFormat", Util.toXml(settings.getSpNameIDFormat()));
+		valueMap.put("spAssertionConsumerServiceBinding", Util.toXml(settings.getSpAssertionConsumerServiceBinding()));
+		valueMap.put("spAssertionConsumerServiceUrl", Util.toXml(settings.getSpAssertionConsumerServiceUrl().toString()));
 		valueMap.put("sls", toSLSXml(settings.getSpSingleLogoutServiceUrl(), settings.getSpSingleLogoutServiceBinding()));
 
 		valueMap.put("strAttributeConsumingService", getAttributeConsumingServiceXml());
@@ -198,10 +200,10 @@ private String getAttributeConsumingServiceXml() {
 
 			attributeConsumingServiceXML.append("<md:AttributeConsumingService index=\"1\">");
 			if (serviceName != null && !serviceName.isEmpty()) {
-				attributeConsumingServiceXML.append("<md:ServiceName xml:lang=\"en\">" + serviceName + "</md:ServiceName>");
+				attributeConsumingServiceXML.append("<md:ServiceName xml:lang=\"en\">" + Util.toXml(serviceName) + "</md:ServiceName>");
 			}
 			if (serviceDescription != null && !serviceDescription.isEmpty()) {
-				attributeConsumingServiceXML.append("<md:ServiceDescription xml:lang=\"en\">" + serviceDescription + "</md:ServiceDescription>");
+				attributeConsumingServiceXML.append("<md:ServiceDescription xml:lang=\"en\">" + Util.toXml(serviceDescription) + "</md:ServiceDescription>");
 			}
 			if (requestedAttributes != null && !requestedAttributes.isEmpty()) {
 				for (RequestedAttribute requestedAttribute : requestedAttributes) {
@@ -214,15 +216,15 @@ private String getAttributeConsumingServiceXml() {
 					String contentStr = "<md:RequestedAttribute";
 
 					if (name != null && !name.isEmpty()) {
-						contentStr += " Name=\"" + name + "\"";
+						contentStr += " Name=\"" + Util.toXml(name) + "\"";
 					}
 
 					if (nameFormat != null && !nameFormat.isEmpty()) {
-						contentStr += " NameFormat=\"" + nameFormat + "\"";
+						contentStr += " NameFormat=\"" + Util.toXml(nameFormat) + "\"";
 					}
 
 					if (friendlyName != null && !friendlyName.isEmpty()) {
-						contentStr += " FriendlyName=\"" + friendlyName + "\"";
+						contentStr += " FriendlyName=\"" + Util.toXml(friendlyName) + "\"";
 					}
 
 					if (isRequired != null) {
@@ -232,7 +234,7 @@ private String getAttributeConsumingServiceXml() {
 					if (attrValues != null && !attrValues.isEmpty()) {
 						contentStr += ">";
 						for (String attrValue : attrValues) {
-							contentStr += "<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" + attrValue + "</saml:AttributeValue>";
+							contentStr += "<saml:AttributeValue xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">" + Util.toXml(attrValue) + "</saml:AttributeValue>";
 						}
 						attributeConsumingServiceXML.append(contentStr + "</md:RequestedAttribute>");
 					} else {
@@ -256,9 +258,9 @@ private String toContactsXml(List<Contact> contacts) {
 		StringBuilder contactsXml = new StringBuilder();
 
 		for (Contact contact : contacts) {
-			contactsXml.append("<md:ContactPerson contactType=\"" + contact.getContactType() + "\">");
-			contactsXml.append("<md:GivenName>" + contact.getGivenName() + "</md:GivenName>");
-			contactsXml.append("<md:EmailAddress>" + contact.getEmailAddress() + "</md:EmailAddress>");
+			contactsXml.append("<md:ContactPerson contactType=\"" + Util.toXml(contact.getContactType()) + "\">");
+			contactsXml.append("<md:GivenName>" + Util.toXml(contact.getGivenName()) + "</md:GivenName>");
+			contactsXml.append("<md:EmailAddress>" + Util.toXml(contact.getEmailAddress()) + "</md:EmailAddress>");
 			contactsXml.append("</md:ContactPerson>");
 		}
 
@@ -276,10 +278,10 @@ private String toOrganizationXml(Organization organization) {
 
 		if (organization != null) {
 			String lang = organization.getOrgLangAttribute();
-			orgXml = "<md:Organization><md:OrganizationName xml:lang=\"" + lang + "\">" + organization.getOrgName()
-					+ "</md:OrganizationName><md:OrganizationDisplayName xml:lang=\"" + lang + "\">"
-					+ organization.getOrgDisplayName() + "</md:OrganizationDisplayName><md:OrganizationURL xml:lang=\""
-					+ lang + "\">" + organization.getOrgUrl() + "</md:OrganizationURL></md:Organization>";
+			orgXml = "<md:Organization><md:OrganizationName xml:lang=\"" + Util.toXml(lang) + "\">" + Util.toXml(organization.getOrgName())
+					+ "</md:OrganizationName><md:OrganizationDisplayName xml:lang=\"" + Util.toXml(lang) + "\">"
+					+ Util.toXml(organization.getOrgDisplayName()) + "</md:OrganizationDisplayName><md:OrganizationURL xml:lang=\""
+					+ Util.toXml(lang) + "\">" + Util.toXml(organization.getOrgUrl()) + "</md:OrganizationURL></md:Organization>";
 		}
 		return orgXml;
 	}
@@ -316,7 +318,7 @@ private String toX509KeyDescriptorsXML(X509Certificate certCurrent, X509Certific
 	            keyDescriptorXml.append("<md:KeyDescriptor use=\"signing\">");
 	            keyDescriptorXml.append("<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">");
 	            keyDescriptorXml.append("<ds:X509Data>");
-	            keyDescriptorXml.append("<ds:X509Certificate>"+certString+"</ds:X509Certificate>");
+	            keyDescriptorXml.append("<ds:X509Certificate>"+Util.toXml(certString)+"</ds:X509Certificate>");
 	            keyDescriptorXml.append("</ds:X509Data>");
 	            keyDescriptorXml.append("</ds:KeyInfo>");
 	            keyDescriptorXml.append("</md:KeyDescriptor>");
@@ -325,7 +327,7 @@ private String toX509KeyDescriptorsXML(X509Certificate certCurrent, X509Certific
 	                keyDescriptorXml.append("<md:KeyDescriptor use=\"encryption\">");
 	                keyDescriptorXml.append("<ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\">");
 	                keyDescriptorXml.append("<ds:X509Data>");
-	                keyDescriptorXml.append("<ds:X509Certificate>"+certString+"</ds:X509Certificate>");
+	                keyDescriptorXml.append("<ds:X509Certificate>"+Util.toXml(certString)+"</ds:X509Certificate>");
 	                keyDescriptorXml.append("</ds:X509Data>");
 	                keyDescriptorXml.append("</ds:KeyInfo>");
 	                keyDescriptorXml.append("</md:KeyDescriptor>");
@@ -343,8 +345,8 @@ private String toSLSXml(URL spSingleLogoutServiceUrl, String spSingleLogoutServi
 		StringBuilder slsXml = new StringBuilder();
 
 		if (spSingleLogoutServiceUrl != null) {
-			slsXml.append("<md:SingleLogoutService Binding=\"" + spSingleLogoutServiceBinding + "\"");
-			slsXml.append(" Location=\"" + spSingleLogoutServiceUrl.toString() + "\"/>");
+			slsXml.append("<md:SingleLogoutService Binding=\"" + Util.toXml(spSingleLogoutServiceBinding) + "\"");
+			slsXml.append(" Location=\"" + Util.toXml(spSingleLogoutServiceUrl.toString()) + "\"/>");
 		}
 		return slsXml.toString();
 	}

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -63,9 +63,9 @@
 import javax.xml.xpath.XPathFactory;
 import javax.xml.xpath.XPathFactoryConfigurationException;
 
-import com.onelogin.saml2.model.hsm.HSM;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.EncryptedKey;
@@ -95,6 +95,7 @@
 import com.onelogin.saml2.exception.ValidationError;
 import com.onelogin.saml2.exception.XMLEntityException;
 import com.onelogin.saml2.model.SamlResponseStatus;
+import com.onelogin.saml2.model.hsm.HSM;
 
 
 /**
@@ -445,7 +446,7 @@ public static String convertDocumentToString(Document doc, Boolean c14n) {
 	 * @return the Document object
 	 */
 	public static String convertDocumentToString(Document doc) {
-		return convertDocumentToString(doc, false);
+		 return convertDocumentToString(doc, false);
 	}
 
 	/**
@@ -1984,6 +1985,17 @@ public static DateTime parseDateTime(String dateTime) {
 		}
 		return parsedData;
 	}
+	
+	/**
+	 * Escape a text so that it can be safely used within an XML element contents or attribute value.
+	 * 
+	 * @param text 
+	 * 				the text to escape
+	 * @return the escaped text (<code>null</code> if the input is <code>null</code>)
+	 */
+	public static String toXml(String text) {
+		return StringEscapeUtils.escapeXml10(text);
+	}
 
 	private static String toStringUtf8(byte[] bytes) {
 		try {