Vet The Return of Saved XML

Ezequiel-Valencia · Ezequiel-Valencia · commit 6abc96d8d14b · 2025-06-09T12:29:26.000-04:00
diff --git a/vcell-rest/src/main/java/org/vcell/restq/handlers/BioModelResource.java b/vcell-rest/src/main/java/org/vcell/restq/handlers/BioModelResource.java
@@ -186,7 +186,9 @@ public String save(@RequestBody(name = "bioModelVCML", required = true, descript
             XmlUtil.vetXMLForMaliciousEntities(bioModelVCML);
             cbit.vcell.biomodel.BioModel savedBioModel = bioModelRestService.save(user, bioModelVCML,
                     newName.orElse(null), simNames.toArray(new String[0]));
-            return XmlHelper.bioModelToXML(savedBioModel);
+            String result = XmlHelper.bioModelToXML(savedBioModel);
+            XmlUtil.vetXMLForMaliciousEntities(result);
+            return result;
         } catch (DataAccessException e) {
             throw new DataAccessWebException(e.getMessage(), e);
         } catch (XmlParseException | IOException | JDOMException e){
diff --git a/vcell-rest/src/main/java/org/vcell/restq/handlers/MathModelResource.java b/vcell-rest/src/main/java/org/vcell/restq/handlers/MathModelResource.java
@@ -132,6 +132,7 @@ public String save(@RequestBody(name = "mathModelVCML", required = true) String
         try{
             XmlUtil.vetXMLForMaliciousEntities(mathModelVCML);
             BigString result = mathModelService.saveModel(user, new BigString(mathModelVCML), newName.orElse(null), simNames.toArray(new String[0]));
+            XmlUtil.vetXMLForMaliciousEntities(result.toString()); // partial saves might include already saved XML
             return result.toString();
         } catch (DataAccessException e) {
             throw new DataAccessWebException(e.getMessage(), e);
