Index: openacs-4/packages/search/tcl/syndicate-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/search/tcl/syndicate-procs.tcl,v diff -u -r1.4 -r1.5 --- openacs-4/packages/search/tcl/syndicate-procs.tcl 7 Aug 2017 23:48:29 -0000 1.4 +++ openacs-4/packages/search/tcl/syndicate-procs.tcl 3 Sep 2024 15:37:54 -0000 1.5 @@ -16,7 +16,10 @@ JCD: to fix: should not just glue together XML this way, also assumes rss 2.0, no provision for alternate formats, assumes content:encoded will be defined in the wrapper. } { - if {![parameter::get -boolean -package_id [apm_package_id_from_key search] -parameter Syndicate -default 0]} { + if {![parameter::get -boolean \ + -package_id [apm_package_id_from_key search] \ + -parameter Syndicate \ + -default 0]} { return } if {$action eq "DELETE"} { @@ -42,7 +45,7 @@ set published [lc_time_fmt $syn(pubDate) "%a, %d %b %Y %H:%M:%S GMT"] - set xmlMap [list & "&" < "<" > ">" \" """ ' "'"] + set xmlMap [list & "&" < "<" > ">" \" """ ' "'"] set rss_xml_frag " [string map $xmlMap $d(title)] [string map $xmlMap $url] @@ -55,7 +58,26 @@ " db_dml nuke {delete from syndication where object_id = :object_id} - db_dml insert {insert into syndication(object_id, rss_xml_frag, body, url) values (:object_id, :rss_xml_frag, :body, :url)} + + # + # Null character is forbidden in a database bind variable. We + # replace it with the empty string when found. + # + set sanitized 0 + incr sanitized [regsub -all \x00 $rss_xml_frag {} rss_xml_frag] + incr sanitized [regsub -all \x00 $body {} body] + # + # If we had to sanitize the content, we complain in the server + # log: probably one of the binary-to-text conversion is broken + # or needs to be revised. + # + if {$sanitized > 0} { + ad_log warning "Attempt to introduce forbidden characters in the syndication table by object ${object_id}" + } + + db_dml insert {insert into syndication(object_id, rss_xml_frag, body, url) + values (:object_id, :rss_xml_frag, :body, :url) + } } }