From a253e768a7830974a9ab185081af852194a6c2d4 Mon Sep 17 00:00:00 2001 From: Slendy Date: Sun, 13 Nov 2022 17:05:24 -0600 Subject: [PATCH] Add more sanitization to reduce deserialization errors --- ProjectLighthouse/Extensions/ControllerExtensions.cs | 5 +++++ ProjectLighthouse/Helpers/SanitizationHelper.cs | 2 ++ 2 files changed, 7 insertions(+) diff --git a/ProjectLighthouse/Extensions/ControllerExtensions.cs b/ProjectLighthouse/Extensions/ControllerExtensions.cs index 18cf3655..bee96926 100644 --- a/ProjectLighthouse/Extensions/ControllerExtensions.cs +++ b/ProjectLighthouse/Extensions/ControllerExtensions.cs @@ -2,6 +2,7 @@ using System; using System.IO; using System.Linq; +using System.Text.RegularExpressions; using System.Threading.Tasks; using System.Xml.Serialization; using LBPUnion.ProjectLighthouse.Helpers; @@ -29,9 +30,13 @@ public static class ControllerExtensions try { + // Prevent unescaped ampersands from causing deserialization to fail + bodyString = Regex.Replace(bodyString, "&(?!(amp|apos|quot|lt|gt);)", "&"); + XmlRootAttribute? root = null; if (rootElements.Length > 0) { + //TODO: This doesn't support root tags with attributes, but it's only used in scenarios where there shouldn't any (UpdateUser and Playlists) string? matchedRoot = rootElements.FirstOrDefault(e => bodyString.StartsWith($@"<{e}>")); if (matchedRoot == null) { diff --git a/ProjectLighthouse/Helpers/SanitizationHelper.cs b/ProjectLighthouse/Helpers/SanitizationHelper.cs index 3df81756..20273ff2 100644 --- a/ProjectLighthouse/Helpers/SanitizationHelper.cs +++ b/ProjectLighthouse/Helpers/SanitizationHelper.cs @@ -11,6 +11,8 @@ public static class SanitizationHelper private static readonly Dictionary charsToReplace = new() { {"<", "<"}, {">", ">"}, + {"\"", """}, + {"'", "'"}, }; public static void SanitizeStringsInClass(object? instance)