From: Tom Hughes <tom@compton.nu>
Date: Wed, 18 Jun 2014 23:25:18 +0000 (+0100)
Subject: Improve blocking of characters not allowed in XML
X-Git-Tag: live~4367
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/0cc579b2875a1f31d4425cc90378fd8cbf934974

Improve blocking of characters not allowed in XML
---

diff --git a/app/controllers/amf_controller.rb b/app/controllers/amf_controller.rb
index 57eb28237..ad337d8a7 100644
--- a/app/controllers/amf_controller.rb
+++ b/app/controllers/amf_controller.rb
@@ -551,7 +551,7 @@ class AmfController < ApplicationController
             mid = renumberedways[mid] if m[0] == 'Way'
           end
           if mid
-            typedmembers << [m[0], mid, m[2].delete("\000-\037", "^\011\012\015")]
+            typedmembers << [m[0], mid, m[2].delete("\000-\037\ufffe\uffff", "^\011\012\015")]
           end
         end
 
@@ -886,8 +886,8 @@ class AmfController < ApplicationController
     new_tags = Hash.new
     unless tags.nil?
       tags.each do |k, v|
-        new_k = k.delete "\000-\037", "^\011\012\015"
-        new_v = v.delete "\000-\037", "^\011\012\015"
+        new_k = k.delete "\000-\037\ufffe\uffff", "^\011\012\015"
+        new_v = v.delete "\000-\037\ufffe\uffff", "^\011\012\015"
         new_tags[new_k] = new_v
       end
     end
diff --git a/app/models/user.rb b/app/models/user.rb
index 9bfb96776..81154fff7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -42,7 +42,7 @@ class User < ActiveRecord::Base
   validates_length_of :display_name, :within => 3..255, :allow_nil => true
   validates_email_format_of :email, :if => Proc.new { |u| u.email_changed? }
   validates_email_format_of :new_email, :allow_blank => true, :if => Proc.new { |u| u.new_email_changed? }
-  validates_format_of :display_name, :with => /\A[^\x00-\x1f\x7f\/;.,?%#]*\z/, :if => Proc.new { |u| u.display_name_changed? }
+  validates_format_of :display_name, :with => /\A[^\x00-\x1f\x7f\ufffe\uffff\/;.,?%#]*\z/, :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /\A\S/, :message => "has leading whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /\S\z/, :message => "has trailing whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_numericality_of :home_lat, :allow_nil => true
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index 15bd64ccc..5e03c7e03 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -87,7 +87,7 @@ class UserTest < ActiveSupport::TestCase
     # should be used.
     bad = [ "<hr/>", "test@example.com", "s/f", "aa/", "aa;", "aa.",
             "aa,", "aa?", "/;.,?", "ãå¯¾å¿ãã¾ã/", "#ping",
-            "foo\x1fbar", "foo\x7fbar" ]
+            "foo\x1fbar", "foo\x7fbar", "foo\ufffebar", "foo\uffffbar" ]
     ok.each do |display_name|
       user = users(:normal_user)
       user.display_name = display_name
