From aa5aa76180dab183ed10028252e3032d89c65049 Mon Sep 17 00:00:00 2001
From: lissine <lissine@ellini.org>
Date: Wed, 22 Jan 2025 23:57:18 +0100
Subject: [PATCH] Remove invalid XML characters before sending a message

---
 Monal/Classes/HelperTools.h        |  1 +
 Monal/Classes/HelperTools.m        | 31 ++++++++++++++++++++++++++++++
 Monal/Classes/chatViewController.m |  2 ++
 3 files changed, 34 insertions(+)

diff --git a/Monal/Classes/HelperTools.h b/Monal/Classes/HelperTools.h
index 86087b5e4..ba1ed08b7 100644
--- a/Monal/Classes/HelperTools.h
+++ b/Monal/Classes/HelperTools.h
@@ -221,6 +221,7 @@ void swizzle(Class c, SEL orig, SEL new);
 +(NSNumber*) currentTimestampInSeconds;
 +(NSNumber*) dateToNSNumberSeconds:(NSDate*) date;
 
++(NSString*) removeInvalidXMLCharactersFromString:(NSString*) inputString;
 +(BOOL) constantTimeCompareAttackerString:(NSString* _Nonnull) str1 withKnownString:(NSString* _Nonnull) str2;
 
 +(BOOL) isIP:(NSString*) host;
diff --git a/Monal/Classes/HelperTools.m b/Monal/Classes/HelperTools.m
index 1e7e55294..7fc9fe530 100644
--- a/Monal/Classes/HelperTools.m
+++ b/Monal/Classes/HelperTools.m
@@ -102,6 +102,7 @@ -(void) swizzled_queueLogMessage:(DDLogMessage*) logMessage asynchronously:(BOOL
 static NSObject* _suspensionHandling_lock = nil;
 static BOOL _suspensionHandling_isSuspended = NO;
 static NSMutableDictionary* _versionInfoCache;
+static NSCharacterSet* _validXMLCharacters;
 static MLStreamRedirect* _stdoutRedirector = nil;
 static MLStreamRedirect* _stderrRedirector = nil;
 static volatile void (*_oldExceptionHandler)(NSException*) = NULL;
@@ -458,6 +459,25 @@ +(void) initialize
     u_int32_t i = arc4random();
     _processID = [self hexadecimalString:[NSData dataWithBytes:&i length:sizeof(i)]];
     
+    //values taken from https://www.w3.org/TR/2008/REC-xml-20081126/#charsets
+    NSMutableCharacterSet* validXMLCharacters = [NSMutableCharacterSet characterSetWithCharactersInString:@"\t\n\r"]; // #x9, #xA, #xD
+    [validXMLCharacters formUnionWithCharacterSet:[NSCharacterSet characterSetWithRange:NSMakeRange(0x20, 0xD7FF - 0x20 + 1)]];
+    [validXMLCharacters formUnionWithCharacterSet:[NSCharacterSet characterSetWithRange:NSMakeRange(0xE000, 0xFFFD - 0xE000 + 1)]];
+    [validXMLCharacters formUnionWithCharacterSet:[NSCharacterSet characterSetWithRange:NSMakeRange(0x10000, 0x10FFFF - 0x10000 + 1)]];
+
+    NSMutableString* notRecommendedXMLCharacters = [NSMutableString new];
+    for (unichar i = 0x007F; i <= 0x0084; i++)
+        [notRecommendedXMLCharacters appendFormat:@"%C", i];
+
+    for (unichar i = 0x0086; i <= 0x009F; i++)
+        [notRecommendedXMLCharacters appendFormat:@"%C", i];
+
+    for (unichar i = 0xFDD0; i <= 0xFDEF; i++)
+        [notRecommendedXMLCharacters appendFormat:@"%C", i];
+
+    [validXMLCharacters removeCharactersInString:notRecommendedXMLCharacters];
+    _validXMLCharacters = [validXMLCharacters copy];
+
     //shamelessly stolen from utils.ip in conversations source
     IPV4 = [NSRegularExpression regularExpressionWithPattern:@"\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z" options:0 error:nil];
     IPV6_HEX4DECCOMPRESSED = [NSRegularExpression regularExpressionWithPattern:@"\\A((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?) ::((?:[0-9A-Fa-f]{1,4}:)*)(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z" options:0 error:nil];
@@ -3158,6 +3178,17 @@ +(NSArray*) splitString:(NSString*) string withSeparator:(NSString*) separator a
     return result;
 }
 
++(NSString*) removeInvalidXMLCharactersFromString:(NSString*) inputString
+{
+    NSMutableString* result = [NSMutableString new];
+    for (NSUInteger i = 0; i < inputString.length; i++) {
+        unichar character = [inputString characterAtIndex:i];
+        if([_validXMLCharacters characterIsMember:character])
+          [result appendFormat:@"%C", character];
+    }
+    return [result copy];
+}
+
 //see https://nachtimwald.com/2017/04/02/constant-time-string-comparison-in-c/
 +(BOOL) constantTimeCompareAttackerString:(NSString* _Nonnull) str1 withKnownString:(NSString* _Nonnull) str2
 {
diff --git a/Monal/Classes/chatViewController.m b/Monal/Classes/chatViewController.m
index ece56e45f..79f01ee5c 100644
--- a/Monal/Classes/chatViewController.m
+++ b/Monal/Classes/chatViewController.m
@@ -1138,6 +1138,8 @@ -(void) resignTextView
 
     // Trim leading spaces
     NSString* cleanString = [self.chatInput.text stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+    cleanString = [HelperTools removeInvalidXMLCharactersFromString:cleanString];
+
     // Only send msg that have at least one character
     if(cleanString.length > 0)
     {