From d8298ba6d0ad2a56dcb4f7285192cd63bf390ee3 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Sat, 15 Apr 2017 23:27:24 +0200
Subject: [PATCH] Fix #1870 - Strip control characters out of strings in
 AtomSerializer

---
 app/lib/atom_serializer.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/lib/atom_serializer.rb b/app/lib/atom_serializer.rb
index 69e1f153..739ad4aa 100644
--- a/app/lib/atom_serializer.rb
+++ b/app/lib/atom_serializer.rb
@@ -311,11 +311,17 @@ class AtomSerializer
 
   def append_element(parent, name, content = nil, attributes = {})
     element = Ox::Element.new(name)
-    attributes.each { |k, v| element[k] = v.to_s }
-    element << content.to_s unless content.nil?
+    attributes.each { |k, v| element[k] = sanitize_str(v) }
+    element << sanitize_str(content) unless content.nil?
     parent  << element
   end
 
+  def sanitize_str(raw_str)
+    str = raw_str.to_s
+    ["\v", "\f", "\b"].each { |char| str = str.delete(char) }
+    str
+  end
+
   def add_namespaces(parent)
     parent['xmlns']          = TagManager::XMLNS
     parent['xmlns:thr']      = TagManager::THR_XMLNS