Fix for CVE-2017-11428 does not normalize text before returning it

[Umofomia]

The fix for CVE-2017-11428 essentially replaced the call to element.text with element.texts.join. However, the behavior of text differs from texts in the following way (emphasis mine):

This method returns the value of the first text child node, which ignores the raw setting, so always returns normalized text.
https://ruby-doc.org/stdlib-2.3.0/libdoc/rexml/rdoc/REXML/Element.html#method-i-text

texts does not normalize the text before returning it. This primarily breaks cases where the raw text contains elements that are escaped. Here's an example of the main difference:

REXML::Document.new('<foo>the pen &gt; the sword</foo>').elements.first.text
# => "the pen > the sword"
REXML::Document.new('<foo>the pen &gt; the sword</foo>').elements.first.texts.join
# => "the pen &gt; the sword"

Proposed fix

Since REXML::Element#text calls REXML::Text#value to normalize the text value, change the call to elements.texts.join with elements.texts.map(&:value).join to normalize the text before returning it:

REXML::Document.new('<foo>the pen &gt; the sword</foo>').elements.first.texts.map(&:value).join
# => "the pen > the sword"

I can look into creating a pull request for this fix if you agree.

[Umofomia]

I ended up creating pull request #446 to address this. If you decide it looks good once you review it, can a new version be released that has this fix? It's currently blocking our ability to deploy the fix for CVE-2017-11428. Thanks!

[Umofomia]

I noticed you also backported the fix for CVE-2017-11428 to prior versions of ruby-saml too, so you may want to consider backporting this fix to those versions too.

[pitbulk]

Hi, thanks for that research. We gonna review it and see if that change have any other implications and merge it asap when validated.

[pitbulk]

Version 1.7.2 is live, thank for your research and PR