From 55312595a8ecafac3964b60a4f87625bb714ae2c Mon Sep 17 00:00:00 2001
From: Liam Morland <Liam@Morland.ca>
Date: Fri, 3 Jan 2014 18:06:44 -0500
Subject: [PATCH] Issue #1904100: Use DOMDocument() in create_xfdf() to avoid
 use of htmlspecialchars().

---
 xfdf.inc | 46 ++++++++++++++++++++++++++++++----------------
 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/xfdf.inc b/xfdf.inc
index f253167..6e17d97 100644
--- a/xfdf.inc
+++ b/xfdf.inc
@@ -6,26 +6,40 @@
  */
 
 /**
- * create_xfdf
+ * Generates an XFDF file from values given in an associative array.
  *
- * Takes values passed via associative array and generates XFDF file format
- * with that data for the pdf address sullpiled.
+ * @param string $file
+ *   The PDF file: URL or file path accepted.
+ * @param array $info
+ *   Key/value pairs of the field data.
+ * @param string $enc
+ *   The character encoding. Must match server output: default_charset in php.ini.
  *
- * @param string $file The pdf file - url or file path accepted
- * @param array $info data to use in key/value pairs no more than 2 dimensions
- * @param string $enc default UTF-8, match server output: default_charset in php.ini
- * @return string The XFDF data for acrobat reader to use in the pdf form file
+ * @return string
+ *   The contents of the XFDF file.
  */
 function create_xfdf($file, $info, $enc = 'UTF-8') {
-  $data = '<?xml version="1.0" encoding="' . $enc . '"?>' . "\n" .
-    '<xfdf xmlns="http://ns.adobe.com/xfdf/" xml:space="preserve">' . "\n" .
-    '<fields>' . "\n";
+  $doc = new DOMDocument('1.0', $enc);
+
+  $xfdf_ele = $doc->appendChild($doc->createElement('xfdf'));
+  $xfdf_ele->setAttribute('xmlns', 'http://ns.adobe.com/xfdf/');
+  $xfdf_ele->setAttribute('xml:space', 'preserve');
+
+  $fields_ele = $xfdf_ele->appendChild($doc->createElement('fields'));
   foreach ($info as $name => $value) {
-    $data .= '<field name="' . htmlspecialchars($name) . '"><value>' . htmlspecialchars($value) . '</value></field>' . "\n";
+    $field_ele = $fields_ele->appendChild($doc->createElement('field'));
+    $field_ele->setAttribute('name', $name);
+
+    $value_ele = $field_ele->appendChild($doc->createElement('value'));
+    $value_ele->appendChild($doc->createTextNode($value));
   }
-  $data .= '</fields>' . "\n" .
-    '<ids original="' . md5($file) . '" modified="' . REQUEST_TIME . '" />' . "\n" .
-    '<f href="' . $file . '" />' . "\n" .
-    '</xfdf>' . "\n";
-  return $data;
+
+  $ids_ele = $xfdf_ele->appendChild($doc->createElement('ids'));
+  $ids_ele->setAttribute('original', md5($file));
+  $ids_ele->setAttribute('modified', REQUEST_TIME);
+
+  $f_ele = $xfdf_ele->appendChild($doc->createElement('f'));
+  $f_ele->setAttribute('href', $file);
+
+  return $doc->saveXML();
 }
-- 
GitLab