Blog post Leaderboard MCP Deploy agents
Back to all reviewers

Escape XML content securely

RooCodeInc/Roo-Code
Based on 1 comments
Xml

Always use proper XML entity escaping instead of CDATA blocks when embedding XML-like content within XML documents. CDATA sections can be vulnerable to XML injection attacks if the content isn't properly validated or controlled.

Security Xml

Reviewer Prompt

Always use proper XML entity escaping instead of CDATA blocks when embedding XML-like content within XML documents. CDATA sections can be vulnerable to XML injection attacks if the content isn’t properly validated or controlled.

For example, instead of:

<tool_use><![CDATA[
<update_todo_list>
<todos>
  [ ] First item
  [ ] Second item
</todos>
</update_todo_list>
]]></tool_use>

Use properly escaped XML entities:

<tool_use>
  &lt;update_todo_list&gt;
    &lt;todos&gt;
      [ ] First item
      [ ] Second item
    &lt;/todos&gt;
  &lt;/update_todo_list&gt;
</tool_use>

This practice prevents XML injection vulnerabilities that could allow attackers to manipulate XML processing, potentially leading to data exposure, unauthorized access, or other security breaches in systems that parse and process your XML documents.

1
Comments Analyzed
Xml
Primary Language
Security
Category

Source Discussions