util.xml: Add an option to allow <?processing instructions?>

These should generally be safe to just ignore, which should be the
default behavior of Expat and LuaExpat

2 files changed, 11 insertions, 1 deletions

diff --git a/spec/util_xml_spec.lua b/spec/util_xml_spec.lua
index 28a1cea7..6d3136ab 100644
--- a/spec/util_xml_spec.lua
+++ b/spec/util_xml_spec.lua
@@ -42,6 +42,13 @@ describe("util.xml", function()
 			assert.falsy(ok);
 		end);
 
+		it("should allow processing instructions if asked nicely", function()
+			local x = "<?xml-stylesheet href='make-fancy.xsl'?><foo/>";
+			local stanza = xml.parse(x, {allow_processing_instructions = true});
+			assert.truthy(stanza);
+			assert.are.equal(stanza.name, "foo");
+		end);
+
 		it("should allow an xml declaration", function()
 			local x = "<?xml version='1.0'?><foo/>";
 			local stanza = xml.parse(x);
diff --git a/util/xml.lua b/util/xml.lua
index 9322f3ad..2bf1ff4e 100644
--- a/util/xml.lua
+++ b/util/xml.lua
@@ -72,11 +72,14 @@ local parse_xml = (function()
 			end
 		end
 		handler.StartDoctypeDecl = restricted_handler;
-		handler.ProcessingInstruction = restricted_handler;
 		if not options or not options.allow_comments then
 			-- NOTE: comments are generally harmless and can be useful when parsing configuration files or other data, even user-provided data
 			handler.Comment = restricted_handler;
 		end
+		if not options or not options.allow_processing_instructions then
+			-- Processing instructions should generally be safe to just ignore
+			handler.ProcessingInstruction = restricted_handler;
+		end
 		local parser = lxp.new(handler, ns_separator);
 		local ok, err, line, col = parser:parse(xml);
 		if ok then ok, err, line, col = parser:parse(); end