Test xs:string for valid characters according to the XML 1.1 specifications

tvdijen · tvdijen · commit 600e2307ee75 · 2026-03-24T21:00:16.000+01:00
diff --git a/src/XML/Assert/StringTrait.php b/src/XML/Assert/StringTrait.php
@@ -4,6 +4,8 @@
 
 namespace SimpleSAML\XML\Assert;
 
+use SimpleSAML\XMLSchema\Exception\SchemaViolationException;
+
 /**
  * @package simplesamlphp/xml-common
  */
@@ -15,5 +17,10 @@ trait StringTrait
      */
     protected static function validString(string $value, string $message = ''): void
     {
+        Assert::regex(
+            $value,
+            '/^[\x09\x0A\x0D\x{20}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]*$/u',
+            SchemaViolationException::class,
+        );
     }
 }
diff --git a/src/XMLSchema/Type/StringValue.php b/src/XMLSchema/Type/StringValue.php
@@ -4,6 +4,8 @@
 
 namespace SimpleSAML\XMLSchema\Type;
 
+use SimpleSAML\XML\Assert\Assert;
+use SimpleSAML\XMLSchema\Exception\SchemaViolationException;
 use SimpleSAML\XMLSchema\Type\Interface\AbstractAnySimpleType;
 
 /**
@@ -12,4 +14,16 @@
 class StringValue extends AbstractAnySimpleType
 {
     public const string SCHEMA_TYPE = 'string';
+
+
+    /**
+     * Validate the value.
+     *
+     * @param string $value
+     * @throws \SimpleSAML\XMLSchema\Exception\SchemaViolationException on failure
+     */
+    protected function validateValue(string $value): void
+    {
+        Assert::validString($value, SchemaViolationException::class);
+    }
 }
diff --git a/tests/XML/Assert/StringTest.php b/tests/XML/Assert/StringTest.php
@@ -9,6 +9,9 @@
 use PHPUnit\Framework\TestCase;
 use SimpleSAML\Assert\AssertionFailedException;
 use SimpleSAML\XML\Assert\Assert;
+use SimpleSAML\XMLSchema\Exception\SchemaViolationException;
+
+use function chr;
 
 /**
  * Class \SimpleSAML\Test\XML\Assert\StringTest
@@ -28,7 +31,7 @@ public function testString(bool $shouldPass, string $str): void
         try {
             Assert::validString($str);
             $this->assertTrue($shouldPass);
-        } catch (AssertionFailedException $e) {
+        } catch (AssertionFailedException|SchemaViolationException $e) {
             $this->assertFalse($shouldPass);
         }
     }
@@ -42,6 +45,9 @@ public static function provideString(): array
         return [
             'preserve spaces' => [true, '  Snoopy  '],
             'replace whitespace' => [true, "  Snoopy\t\n\rrulez  "],
+            'html' => [true, "<em>SimpleSAMLphp</em>"],
+            'unicode' => [true, 'ünïcöde €Φ汉'],
+            'invalid character' => [false, "Valid text with " . chr(0) . " invalid null byte"],
         ];
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@`
`4`	`4`
`5`	`5`	`namespace SimpleSAML\XML\Assert;`
`6`	`6`
	`7`	`+use SimpleSAML\XMLSchema\Exception\SchemaViolationException;`
	`8`	`+`
`7`	`9`	`/**`
`8`	`10`	`* @package simplesamlphp/xml-common`
`9`	`11`	`*/`
`@@ -15,5 +17,10 @@ trait StringTrait`
`15`	`17`	`*/`
`16`	`18`	`protected static function validString(string $value, string $message = ''): void`
`17`	`19`	`{`
	`20`	`+ Assert::regex(`
	`21`	`+ $value,`
	`22`	`+ '/^[\x09\x0A\x0D\x{20}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]*$/u',`
	`23`	`+ SchemaViolationException::class,`
	`24`	`+ );`
`18`	`25`	`}`
`19`	`26`	`}`