From e5659a2882749e0b98892a657a4a2d13d95821b9 Mon Sep 17 00:00:00 2001
From: Trey <trey.hayden.ctr@adlnet.gov>
Date: Thu, 18 Jul 2024 12:02:07 -0400
Subject: [PATCH] fixing sanitization syntax

---
 player/service/plugins/routes/v1/courses.js |  9 ++++++---
 player/service/tests/xml.spec.js            | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/player/service/plugins/routes/v1/courses.js b/player/service/plugins/routes/v1/courses.js
index d7dd8b8..af786a7 100644
--- a/player/service/plugins/routes/v1/courses.js
+++ b/player/service/plugins/routes/v1/courses.js
@@ -385,9 +385,12 @@ module.exports = {
                             }
                         }
 
-                        let courseStructureData = helpers.sanitizeXML(courseStructureDataRaw);
-                        if (courseStructureData != undefined && helpers.isPotentiallyMaliciousXML(courseStructureData)) {
-                            throw Boom.internal(`Invalid XML data provided: ${ex}`);
+                        let courseStructureData = await helpers.sanitizeXML(courseStructureDataRaw);
+                        if (courseStructureData != undefined) {
+                            let seemsOdd = await helpers.isPotentiallyMaliciousXML(courseStructureData);
+                            if (seemsOdd) {
+                                throw Boom.internal(`Invalid XML data provided: ${ex}`);
+                            }
                         }
 
                         let courseStructureDocument;
diff --git a/player/service/tests/xml.spec.js b/player/service/tests/xml.spec.js
index 2a96f87..88bf7c8 100644
--- a/player/service/tests/xml.spec.js
+++ b/player/service/tests/xml.spec.js
@@ -7,8 +7,9 @@ const fs = require("fs");
 
 const helpers = require("../plugins/routes/lib/helpers");
 const chai = require("chai");
+const exp = require("constants");
 
-describe("Libxmljs Usage", async () => {
+describe("XML Parsing and Usage", async () => {
 
     /**
      * https://www.stackhawk.com/blog/nodejs-xml-external-entities-xxe-guide-examples-and-prevention/
@@ -22,4 +23,14 @@ describe("Libxmljs Usage", async () => {
 
         chai.expect(suspicious).to.be.equal(true, "The provided XML should have thrown a validity issue for its use of an <!ENTITY tag");
     });
+
+    it ("Sanitizes malicious characters out of the XML body", async() => {
+
+        let providedText = '\u0000Some text\u0000🎉🎉\u0000';
+        let expectedText = 'Some text';
+
+        let parsedText = await helpers.sanitizeXML(providedText);
+
+        chai.expect(parsedText).to.be.equal(expectedText, "The provided XML was not parsed into the expected text");
+    });
 });