Boost C++ Libraries: Ticket #1038: "<" and ">" should be excaped in xml_oarchive

attachment set

r.buergel@… — Thu, 07 Jun 2007 13:11:09 GMT

attachment → Test.cpp

Testcase

attachment set

r.buergel@… — Thu, 07 Jun 2007 13:12:27 GMT

attachment → 300-writing-lt-gt.patch

patch

owner set

Eric Niebler — Wed, 11 Jul 2007 01:59:14 GMT

owner set to Robert Ramey

Robert Ramey — Wed, 11 Jul 2007 03:35:49 GMT

"Using templates for other Archives works, so this should be corrected for XML Archives."

I can't see how this would be true. I'll look into it

Robert Ramey

r.buergel@… — Mon, 27 Aug 2007 13:26:31 GMT

Did you find some time for it?

status changed; resolution set

Robert Ramey — Fri, 30 Nov 2007 20:37:44 GMT

status new → closed
resolution → fixed

I've examined your test case, which boils down to:

typedef B<int> bint; BOOST_CLASS_EXPORT( B<int> )

With your suggestion, this would generate xml that looks like;

<B<int> ...>...</B<int>>

Is this legal xml?

Assuming it is, is this good idea?

Without making a better case for this, I would be disinclined to alterh the library.

Robert Ramey

status changed; resolution deleted

r.buergel@… — Mon, 03 Dec 2007 09:48:04 GMT

status closed → reopened
resolution fixed

It looks like we're talking about two different things here.

The suggested patch just changed the generated xml from <b class_id="1" class_name="B<int>" ...> to <b class_id="1" class_name="B<int>" ...>

I'm not sure, if class_name="B<int>" is valid XML, but i think so. At least it is unambiguous, because the angle brackets are enclosed by quotation marks. So, at a closer look, the xml-parser may be the real cause of the problem and my patch is more the workaround for this.

The case you are describing above doesn't come from using "BOOST_CLASS_EXPORT ( B<int> )", but from "ar & BOOST_SERIALIZATION_BASE_OBJECT_NVP( B<int> )". I added it to my testcase and at a quick view, that also seems to work for other archive types like text_archive, but fails for xml_archives. But for that case, the xml_oarchive fails, not the iarchive. So it is recognized when writing the serialization, and not until reading it.

I'd like to find a solution here. In the best case, the xml-reader is fixed to read class_name="B<int>", IF that is valid xml. But at least, the xml_oarchive should not be able to create archives, that can't be read by the xml_iarchive.

r.buergel@… — Tue, 04 Dec 2007 10:36:30 GMT

Ok, i looked it up in the XML specs ( http://www.w3.org/TR/2006/REC-xml-20060816/ ), what is valid xml and what not.

<b class_id="1" class_name="B<int>" ...> is invalid, because the left angle bracket is forbidden in attribute values. The escaped variant <b class_id="1" class_name="B<int>" ...> is valid.

The case you described above ( <B<int> ...>...</B<int>> ) is clearly invalid. But it didn't work before my patch and it doesn't work after applying it, because the xml_oarchive throws an exception, which states "Unrecognized XML Syntax".

So, currently it is possible to write invalid xml with you archive without getting trapped. But reading that invalid xml-file causes the application to fail.

Robert Ramey — Sat, 22 Dec 2007 21:40:06 GMT

First, thanks for spending time on this. We're now at the point where you've looked at it more deeply than I have. Does your patch:

a) create class_name="B<int&gt" on output b) and permit class_name="B<int&gt" in input? c) trap usage of < and > in variable names on output?

If not, can it be enhanced to do so? This to me would be a definitive solution to the the problem and guarentee that any archive that is successfully written with xml_oarchive can be successfully read by xml_iarchive - which is where I want the real situation to be.

Robert Ramey

Would this not resolve the issue

status, milestone changed; resolution set

Robert Ramey — Sun, 23 Dec 2007 22:43:52 GMT

status reopened → closed
resolution → fixed
milestone To Be Determined → Boost 1.36.0

OK, you've convinced me. I'm putting it in and testing it.

Robert Ramey