Home > vSphere API > Escaping Characters for SOAP XML: Late But Here

Escaping Characters for SOAP XML: Late But Here

September 26th, 2011 Leave a comment Go to comments

It’s a known bug in VI Java API that it did not escape strings to be included within a XML tag. The potential risk, although very very rare, is that it can blow the de-serialization of a request on the server side. I did get one or two reports on failing on login, which turned out to be caused by special characters like < or > in passwords. As a quick fix, an escaping logic has been added to escape the special characters in passwords.

This is of course just a workaround, not really meant to be future proof. I think the chance of getting into similar trouble is so small that it may not worth the effort to make it right until a recent bug report on the OVF importing. The method call ResourcePool.importVApp() returns with InvalidRequest exception as follows:

Time to learn how to "Google" and manage your VMware and clouds in a fast and secure

com.vmware.vim25.InvalidRequest: null
at com.vmware.vim25.ws.XmlGen.fromXml(XmlGen.java:201) ~[vijava3.jar:na]
at com.vmware.vim25.ws.XmlGen.parseSoapFault(XmlGen.java:80) ~[vijava3.jar:na]
at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:133) ~[vijava3.jar:na]
at com.vmware.vim25.ws.VimStub.importVApp(VimStub.java:1418) ~[vijava3.jar:na]
at com.vmware.vim25.mo.ResourcePool.importVApp(ResourcePool.java:102) ~[vijava3.jar:na]

After being debugged it turned out to be related to a field of string type holding XML content, therefore breaks the server side.

We can patch it up with the same approach as with password, but decided to get it right this time as the possibility of running into this issue is higher in vSphere 5.

The fix should be fairly simple- that is to escape in the serialization engine. Whenever there is a string value, escape it with the following code.

private static String escapeForXML(String str)
  StringBuilder sb = new StringBuilder(str.length());

  for(int i=0; i<str.length(); i++)
    char c = str.charAt(i);

    else if(c=='<')
    else if(c=='>')
    else if(c=='"')
    else if(c=='\'')
  return sb.toString();

One of the reasons that I was slow to get it right was concern on performance. After testing it, it’s not bad at all. At least I cannot tell much difference in performance. After all, the string typed parameters are mostly pretty small in size. Also, using StringBuilder instead of StringBuffer might also have helped.

The fix will be in 5.0 GA build. From there, we will have a piece of mind that it won’t be a potential problem any more. Also changed is the importing vApp sample included in VI Java API.

Categories: vSphere API Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.