[DAS] Possible XML error with LDAS 1.08

Andrew Dalke dalke@dalkescientific.com
Tue, 29 Oct 2002 02:31:14 -0700


Angie Hinrichs:
> I would change that once more to this:
> 
>   print qq(      <GROUP id="$groupid">$gclass</GROUP>\n);

I had to rewrite the XML I got from LDAS to do essentially
this so that my 'dascheck' program I announced a while back
would run against those servers.  I've sent this and a
set of other problems I identified to Lincoln.

BTW, I noticed in general in the LDAS code there are places like
this where text and fields are not escaped for XML.

For example, consider

<ENTRY_POINTS href="$url" version="1.0">

This doesn't escape the URL.  Suppose the URL contains a "&"
character.  The XML spec requires that that be escaped to "&amp;"
which means this could potentially generate invalid XML.  One
of the servers I tested against does this, but I think it
disappeared before I finished dascheck so I never coded a
workaround for it.

I don't know if "groupid" or "gclass" could ever contain
a special character, but due to general caution I would put
some more escapes on the various print statements, or at
least more assertion checks on the inputs.

					Andrew
					dalke@dalkescientific.com