From 0b7449ef614cd6514a7f81ebdc8f2171efee0ca9 Mon Sep 17 00:00:00 2001
From: Alex Dowad <alexinbeijing@gmail.com>
Date: Thu, 24 Feb 2022 14:58:01 +0200
Subject: [PATCH] Be strict about handling of malformed XML attributes

This code was written by Natanael Copa.
---
 LuaXML_lib.c | 11 ++++++++++-
 unittest.lua |  8 ++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/LuaXML_lib.c b/LuaXML_lib.c
index 6c074de..ae330ee 100644
--- a/LuaXML_lib.c
+++ b/LuaXML_lib.c
@@ -671,8 +671,17 @@ int Xml_eval(lua_State *L) {
 				// parse tag header
 				size_t sepPos = find(token, "=", 0);
 				if (token[sepPos]) { // regular attribute (key="value")
-					const char *aVal = token + sepPos + 2;
+					const char *aVal = token + sepPos + 1;
 					lua_pushlstring(L, token, sepPos);
+					size_t lenVal = strlen(aVal);
+
+					if (lenVal < 2 || ((aVal[0] != '"' && aVal[0] != '\'') || (aVal[lenVal-1] != '"' && aVal[lenVal-1] != '\'')))
+						luaL_error(L, "Malformed XML: attribute value not quoted in '%s'", token);
+
+					// strip quote chars
+					aVal++;
+					lenVal -= 2;
+
 					Xml_pushDecode(L, aVal, strlen(aVal) - 1);
 					lua_rawset(L, -3);
 				}
diff --git a/unittest.lua b/unittest.lua
index e179d91..1d16d7a 100644
--- a/unittest.lua
+++ b/unittest.lua
@@ -162,5 +162,13 @@ function TestXml:test_transform()
 	lu.assertEquals(test, expected)
 end
 
+function TestXml:test_malformed_attribute()
+	-- malformed XML attribute
+	lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=0></a>")
+	lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad=></a>")
+	lu.assertErrorMsgContains("Malformed XML", xml.eval, "<a bad='></a>")
+	lu.assertErrorMsgContains("Malformed XML", xml.eval, '<a bad="></a>')
+end
+
 -- run test suite with verbose output
 os.exit(lu.LuaUnit.run("-v"))
-- 
2.25.1