Migrated to double-quoted XML

Author: johnnyshields

UPGRADING.md

@@ -37,7 +37,8 @@ codebase for `RubySaml::XML::` and replace it as appropriate. In addition, you m
 `require 'xml_security'` with `require 'ruby_saml/xml'`.
 
 For backward compatibility, the alias `XMLSecurity = RubySaml::XML` has been set, so `RubySaml::XML::` will still work
-as before. In addition, a shim file has been added so that `require 'xml_security'` continues to work.
+as before, unless you have defined `XMLSecurity` prior to loading RubySaml.
+In addition, a shim file has been added so that `require 'xml_security'` continues to work.
 These aliases will be removed in RubySaml version `2.1.0`.
 
 ### Security: Change default hashing algorithm to SHA-256 (was SHA-1)
@@ -59,6 +60,23 @@ settings.security[:digest_method] = RubySaml::XML::Crypto::SHA1
 settings.security[:signature_method] = RubySaml::XML::Crypto::RSA_SHA1
 ```
 
+### Behavior change of double_quote_xml_attribute_values setting
+
+`settings.double_quote_xml_attribute_values` now always behaves as if it is set to `true`,
+i.e. RubySaml now always uses double quotes for attribute values when generating XML.
+
+The reasons for this change are:
+- RubySaml will use Nokogiri instead of REXML to generate XML. Nokogiri does not support
+  generating XML with single quotes.
+- Double quotes in XML tends to be the standard; there are no known SAML clients in the wild
+  which cannot support double-quoted XML.
+
+If you require to use single quotes in your XML output, you may try the following Regexp:
+
+```ruby
+
+```
+
 ### Removal of embed_sign setting
 
 The deprecated `settings.security[:embed_sign]` parameter has been removed. If you were using it, please instead switch

lib/ruby_saml/authrequest.rb

@@ -54,7 +54,7 @@ def create_params(settings, params={})
       end
 
       request_doc = create_authentication_xml_doc(settings)
-      request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+      request_doc.context[:attribute_quote] = :quote
 
       request = +""
       request_doc.write(request)

lib/ruby_saml/logoutrequest.rb

@@ -52,7 +52,7 @@ def create_params(settings, params={})
       end
 
       request_doc = create_logout_request_xml_doc(settings)
-      request_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+      request_doc.context[:attribute_quote] = :quote
 
       request = +""
       request_doc.write(request)

lib/ruby_saml/settings.rb

@@ -54,7 +54,6 @@ def initialize(overrides = {}, keep_security_attributes = false)
     attr_accessor :name_identifier_value
     attr_accessor :name_identifier_value_requested
     attr_accessor :sessionindex
-    attr_accessor :double_quote_xml_attribute_values
     attr_accessor :message_max_bytesize
     attr_accessor :passive
     attr_reader   :protocol_binding
@@ -230,7 +229,6 @@ def get_binding(value)
       idp_cert_fingerprint_algorithm: RubySaml::XML::Crypto::SHA256,
       message_max_bytesize: 250_000,
       soft: true,
-      double_quote_xml_attribute_values: false,
       security: {
         authn_requests_signed: false,
         logout_requests_signed: false,
@@ -248,6 +246,20 @@ def get_binding(value)
       }.freeze
     }.freeze
 
+    {
+      double_quote_xml_attribute_values: true
+    }.each do |old_param, new_value|
+      # @deprecated Will be removed in v2.1.0
+      define_method(old_param) do
+        removed_deprecation(old_param, new_value)
+      end
+
+      # @deprecated Will be removed in v2.1.0
+      define_method(:"#{old_param}=") do |_|
+        removed_deprecation(old_param, new_value)
+      end
+    end
+
     {
       issuer: :sp_entity_id,
       idp_sso_target_url: :idp_sso_service_url,
@@ -355,6 +367,12 @@ def compress_response=(value)
 
     private
 
+    # @deprecated Will be removed in v2.1.0
+    def removed_deprecation(old_param, new_value)
+      Logging.deprecate "`RubySaml::Settings##{old_param}` is deprecated and will be removed in RubySaml 2.1.0. " \
+                        "It no longer has any effect, and will behave as if always set to #{new_value.inspect}."
+    end
+
     # @deprecated Will be removed in v2.1.0
     def replaced_deprecation(old_param, new_param)
       Logging.deprecate "`RubySaml::Settings##{old_param}` is deprecated and will be removed in RubySaml 2.1.0. " \

lib/ruby_saml/slo_logoutresponse.rb

@@ -60,7 +60,7 @@ def create_params(settings, request_id = nil, logout_message = nil, params = {},
       end
 
       response_doc = create_logout_response_xml_doc(settings, request_id, logout_message, logout_status_code)
-      response_doc.context[:attribute_quote] = :quote if settings.double_quote_xml_attribute_values
+      response_doc.context[:attribute_quote] = :quote
 
       response = +""
       response_doc.write(response)