From 1a60d581c946d6cbfc4658c245a4a5494355fee2 Mon Sep 17 00:00:00 2001
From: Baruch Siach <baruch@tkos.co.il>
Date: Mon, 30 Nov 2020 13:36:50 +0200
Subject: [PATCH] Encode xpath select values with yang

Search key values might contain xml meta-characters. These break
clixon_xml_parse_string() unless properly encoded.
---
 lib/src/clixon_xml_sort.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/src/clixon_xml_sort.c b/lib/src/clixon_xml_sort.c
index 1680fc1d..5b78c021 100644
--- a/lib/src/clixon_xml_sort.c
+++ b/lib/src/clixon_xml_sort.c
@@ -1343,6 +1343,7 @@ xml_find_index_yang(cxobj       *xp,
     cg_var    *ycv = NULL;
     int        i;
     char      *name;
+    char      *encstr;
     int        revert = 0;
     char      *indexvar = NULL;
 
@@ -1377,7 +1378,10 @@ xml_find_index_yang(cxobj       *xp,
 		revert++;
 		break;
 	    }
-	    cprintf(cb, "<%s>%s</%s>", kname, cv_string_get(cvi), kname);
+	    if (xml_chardata_encode(&encstr, "%s", cv_string_get(cvi)) < 0)
+		goto done;
+	    cprintf(cb, "<%s>%s</%s>", kname, encstr, kname);
+	    free(encstr);
 	    i++;
 	}
 	if (revert)
@@ -1390,7 +1394,10 @@ xml_find_index_yang(cxobj       *xp,
 	    goto done;
 	}
 	cvi = cvec_i(cvk, 0);
-	cprintf(cb, "<%s>%s</%s>", name, cv_string_get(cvi), name);
+	if (xml_chardata_encode(&encstr, "%s", cv_string_get(cvi)) < 0)
+	    goto done;
+	cprintf(cb, "<%s>%s</%s>", name, encstr, name);
+	free(encstr);
 	break;
     default:
 	cprintf(cb, "<%s/>", name);
@@ -1407,7 +1414,10 @@ xml_find_index_yang(cxobj       *xp,
 	    yang_flag_get(yi, YANG_FLAG_INDEX) == 0)
 	    goto revert;
 	cbuf_reset(cb);
-	cprintf(cb, "<%s><%s>%s</%s></%s>", name, iname, cv_string_get(cvi), iname, name);	
+	if (xml_chardata_encode(&encstr, "%s", cv_string_get(cvi)) < 0)
+	    goto done;
+	cprintf(cb, "<%s><%s>%s</%s></%s>", name, iname, encstr, iname, name);
+	free(encstr);
 	indexvar = iname;
     }
 #else