powered by Jive Software

Generates invalid XML

Smack generates invalid XML when, for instance, an user supplied string is appended to the packet’'s contents as-is. One such example is when a RosterPacket.Item is created that contains an ampersand; the ampersand will be sent literally in the stream, thus provoking a stream error.

To fix this, all strings used as attributes and element content must be escaped. I see there is a method StringUtils.escapeForXML for this purpose, so maybe other classes are more careful. I’'ll post here those I find to lack proper escaping.

Authentication.getChildElementXML has the same problem with fields username, password and resource. Digest should be safe, as it is hex-encoded.