Gaurav Thakur

Gaurav Thakur

Developer, Architect, Technology Enthusiast.This is a journal for personal views and opinions.

Input Sanitization : Invalid XML Data, Validation

2 minute read

Recently, For a requirement,I had to make sure that the input data that comes in as a json body needs to be converted into xml to make subequent calls to other services. It landed up in a weird requirement, where data that could be valid for JSON, could prove to be invalid for an xml.

So needed to make sure to remove the invalid xml characters coming into the input request.

So I decided to use precompiled regex to validate if the request had any invalid xml characters.


/**
     * Regex pattern for invalid xml characters as defined in the XML 1.0 specification.
     */
    private static final String xml10pattern = "[^"
            + "\u0009\r\n"
            + "\u0020-\uD7FF"
            + "\uE000-\uFFFD"
            + "\ud800\udc00-\udbff\udfff"
            + "]";

And a simple method to validate the input payload.


/**
     * This method checks if the input String has only
     * valid XML unicode characters as specified by the
     * XML 1.0 standard. For reference, please see
     * the standard. 
     * This method will return null if the input is null or empty.
     *
     * @param inputData The String to check for invalid XML characters.
     * @return String, invalid xml character or null if xml only has 
     * valid characters.
     */
    private String hasInValidXmlCharacterData(final String inputData) {
    	String invalidStringinXml = null;
    	if (null != inputData) {
    		Matcher invalidXMlMatcher = xml10InvalidPattern.matcher(inputData);
    		if (invalidXMlMatcher.find()) {
    			invalidStringinXml = invalidXMlMatcher.group();
    		}
    	}
    	return invalidStringinXml; 
    }

Still for some reason the validation will always fail when i`ll send it out as a curl request. It would work from a main program or a junit for the same method, but the curl request would fail.

After some head scratching, I came to understand that I have to unescape the characters in the input payload. Thus after changing the method above to


/**
     * This method checks if the input String has only
     * valid XML unicode characters as specified by the
     * XML 1.0 standard. For reference, please see
     * the standard. 
     * This method will return null if the input is null or empty.
     *
     * @param inputData The String to check for invalid XML characters.
     * @return String, invalid xml character or null if xml only has 
     * valid characters.
     */
    private String hasInValidXmlCharacterData(final String inputData) {
    	String invalidStringinXml = null;
    	if (null != inputData) {
    		Matcher invalidXMlMatcher = xml10InvalidPattern.matcher(StringEscapeUtils.unescapeJava(inputData));
    		if (invalidXMlMatcher.find()) {
    			invalidStringinXml = invalidXMlMatcher.group();
    		}
    	}
    	return invalidStringinXml; 
    }

StringEscapeUtils from apache commons comes to rescue here

You May Also Enjoy

Salesforce Org-2-Org Migrations

3 minute read

Salesforce Org Migrations Recently I have been working on a salesforce org migration. Although I`m migrating from one salesforce instance to another salesfor...

TLS 1.0 To TLS 1.1 for Salesforce Clients

1 minute read

TLS 1.1, 1.0 Salesforce Since last six months, all of us working on the Salesforce platform have received multiple emails/notifications about the TLS 1.0 dis...

Meld on Windows with Github

less than 1 minute read

I recently made the move to windows machine being my primary development enviornment. The first biggest difference, that you realize is regarding the toolset...