XML content is not escaped.

[fisx]

I just got the following test case to pass over in saml2-web-sso:

      HS.samlToXML (HS.simpleNameID HS.NameIDFormatUnspecified "<something>")
        `shouldBe` "<NameID xmlns=\"urn:oasis:names:tc:SAML:2.0:assertion\"><something></NameID>"
        -- it really shouldn't, though!

Not sure how big of a security issue that is, but it doesn't seem right. I'm wondering if there is some escaping functionality in HXT that is just hard to call in all the right places?

I don't think this'll be trivial to fix. I have worked around this in saml2-web-sso in hopefully all the places for now.

[dylex]

Urm, yeah that doesn't seem right. It should at least be easy to fix, I just am not sure how, because I've never been clear about how hxt intends to deal with this. I believe the actual problem is in the implementation of docToXML (for samlToXML). This currently uses Text.XML.HXT.Arrow.XmlArrow.xshowBlob, which uses Text.XML.HXT.DOM.ShowXml.xshowBlob, which, unlike other functions like xshow', doesn't do any escaping.

I've now changed this to using xshow' and escapeXmlRefs directly, though it doesn't feel quite right to me either. I do think this is at least the right place for a fix, rather than xpString or higher places for example. Totally open if you have a better hxt solution, though.

[fisx]

I'm still not the right person to ask for opinions on HXT. :-) I think it's just not ready, and it's so old and vast it will never be.

Thanks for looking into this! Your patch idea reasonable to me. I'll let you know if I can find the time to test it and/or merge our fork with it.