Forum Discussion

CMHansen's avatar
CMHansen
15 years ago

getXmlHolder crashing groovy script

Hi,
I'm running a TestCase where I am injecting values into a Soap Request and then firing them at my service to test for certain vulnerabilities. The script currently breaks while trying to retrieve the response. I know why it's breaking, but I'm uncertain as to how to fix the issue. When I send the request, I'm getting a fault returned (as is expected), however it contains a piece of javascript code for error handling, which is what is tripping up the groovy script it seems.

The line that is causing the error:
def response = groovyUtils.getXmlHolder( "SOAP Request#Response" )


The response that is crashing that line:
<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:xsd="http://www.w3.org/1999/XMLSchema">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Client</faultcode>
<faultstring>Invalid key: <IMG%20src='x-javascript:alert(document.cookie)'></faultstring>
<faultactor>/search/beta2</faultactor>
</SOAP-ENV:Fault>

</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


Error message:
org.apache.xmlbeans.XmlException: error: Unexpected character encountered (lex state 8): '%' error: Unexpected character encountered (lex state 8): '%'


So my question at this point is this: How do I escape those characters or otherwise sanitize them if I can't get it to even load the XmlHolder?

1 Reply

Sort By
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    15 years ago
    Hello,

    The reason that the response is not parsed as XML is that it is invalid, the contents of the faultstring is being parsed as an element (), which has no closing tag and contains illegal characters in the element name (namely %). This whole block should be escaped using a CDATA section. If possible, this needs to be changed on the server, as no conforming XML parser should treat the response as it is now correctly. A workaround you can do is to manually escape the string in soapUI. For example:


    def groovyUtils = new com.eviware.soapui.support.GroovyUtils(context)

    def escaped = context.expand('${SOAP Request#Response}').replace('<faultstring>', '<faultstring><![CDATA[').replace('</faultstring>', ']]></faultstring>')
    def response = groovyUtils.getXmlHolder( escaped )



    Regards,
    Dain
    eviware.com