XML control characters not escaped

[clange]

In the XML response to Vault command line client requests, XML control characters are not escaped. This leads to malformed XML characters in the response. Particularly, this is occurring in comments where a user has used those characters. I do not know if it happens in other parts of the database.

[Tonya]

Hello,

What Vault version do you have installed? Known characters should be escaped but there were some issues in earlier Vault versions. We applied some fixes in Vault 8.x so this version or anything above it should work accordingly.

Thanks,

Tonya

[clange]

We are using 9.1.0.

[Tonya]

Can you please provide us with an example of your command-line code that is not working properly for you?

Thanks,

Tonya

[clange]

Note: **** replaces any senstive information

Create label with comments that include quotes.
Example: Demo showing that "quotes" are not escaped.

Use the vault command line client.

vault rememberlogin -user **** -password **** -host ****
vault history -repository **** $/newfile.txt

Resulting XML

<vault>
<history>
<item txid="0" date="7/21/2020 8:31:24 AM" name="newfile.txt" type="90" typeName="Label" version="1" objverid="3353868" user="****" comment="[src date: 5/30/2013 10:50:40 PM]: Demo showing that &amp;quot;quotes&amp;quot; are not escaped." actionString="Labeled Newfile version 1 " />
<item txid="439823" date="5/30/2013 10:05:40 PM" name="newfile.txt" type="70" typeName="Created" version="1" objverid="3353868" user="****" actionString="Created" />
</history>
<bugsreferenced />
<result>
<success>True</success>
</result>
</vault>

Looking at the resulting output, here's a couple of specific questions.
Why does &amp; appear in the comment? There is no ampersand in the original comment.
There is no & appearing before quot;

[clange]

While looking at this, we found a similar issue with a most likely a slightly different cause.

The command line client does not appear to support Unicode characters in the comments. So if a Unicode character is entered in the GUI client, the command line returns ? (a question mark) for that character.

However, U+201C (LEFT DOUBLE QUOTATION MARK) is converted to U+0022 (QUOTATION MARK). Then the QUOTATION MARK is not escaped and ends in the XML of the command line response. This probably also happens for RIGHT DOUBLE QUOTATION MARK but I didn't check.

[Tonya]

Thank you for the additional details. I was able to reproduce the problem and have logged these issues to be completed in an upcoming release.

Tonya

[clange]

To clarify, did you reproduce the problem below on version 10.1.0? That was the currently released version last July and still is.

[Tonya]

Yes, we tested and reproduced the issue on the latest release, Vault 10.1.0.

Tonya

[clange]

Is this issue fixed on version 10.2?

[Tonya]

Hello again,

Thank you for checking in with us on the status of this issue. Unfortunately, it did not make the 10.2 release but will hopefully make it in Vault 11.

Tonya