From 0d2e76a558bd9e09173d2e009ee9444126670ce1 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Sun, 22 Oct 2023 20:34:41 -0500
Subject: [PATCH] XML: Validate attribute values

---
 src/builder-utils.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/builder-utils.c b/src/builder-utils.c
index e4d11ebe..2ee96b4a 100644
--- a/src/builder-utils.c
+++ b/src/builder-utils.c
@@ -1454,6 +1454,19 @@ xml_start_element (GMarkupParseContext *context,
 {
   XmlData *data = user_data;
   FlatpakXml *node;
+  const char *invalid_chars = "<>'\"";
+
+  for (uint i = 0; attribute_values[i]; i++)
+    {
+      const char *value = attribute_values[i];
+      for (uint j = 0; invalid_chars[j]; j++) {
+        if (strchr (value, invalid_chars[j]))
+          {
+            g_set_error (error, G_IO_ERROR, G_MARKUP_ERROR_INVALID_CONTENT, "Invalid character %c in XML attribute", invalid_chars[j]);
+            return;
+          }
+      }
+    }
 
   node = flatpak_xml_new_with_attributes (element_name,
                                           attribute_names,