Fix Issue#1235: Sanitize XML comment to prevent invalid token errors (#1783)

cfsmp3 · web-flow · commit 810e02f7fab2 · 2025-12-07T22:41:11.000-08:00
Original description:

Pull Requests Description :
Added logic to detect and replace any occurrence of "--" in comments with a single "-" to ensure valid XML.
Used a bulk write ('fwrite') to efficiently handle portions of the string that don't contain invalid sequences.
Ensured that comments are written correctly without altering the original structure of the code.
Updated function 'write_spucomment' to handle the sanitization process efficiently.
diff --git a/src/lib_ccx/ccx_encoders_spupng.c b/src/lib_ccx/ccx_encoders_spupng.c
@@ -186,7 +186,38 @@ void write_sputag_close(struct spupng_t *sp)
 }
 void write_spucomment(struct spupng_t *sp, const char *str)
 {
-	fprintf(sp->fpxml, "<!--\n%s\n-->\n", str);
+	fprintf(sp->fpxml, "<!--\n");
+
+	const char *p = str;
+	const char *last_safe_pos = str; // Track the last safe position to flush
+
+	while (*p)
+	{
+
+		if (*p == '-' && *(p + 1) == '-')
+		{
+
+			if (p > last_safe_pos)
+			{
+				fwrite(last_safe_pos, 1, p - last_safe_pos, sp->fpxml);
+			}
+
+			fputc('-', sp->fpxml);
+			p += 2;
+			last_safe_pos = p;
+		}
+		else
+		{
+			p++;
+		}
+	}
+
+	if (p > last_safe_pos)
+	{
+		fwrite(last_safe_pos, 1, p - last_safe_pos, sp->fpxml);
+	}
+
+	fprintf(sp->fpxml, "\n-->\n");
 }
 
 char *get_spupng_filename(void *ctx)
