We recently had a user enter an email address that included an '&', and according to some research that is valid for an email address.

However, when we process that and try to pass the data in xml the '&' causes issues because the data is not encoded or sanitized in any way.

What is the best practice to handle xml special characters and more generally sanitizing user input?

Do I need to handle each field individually or can this be done at a form level?

We have a lot of Groovy scripts handling the xml, so it looks like it may be a major task; I'm hoping there is a more generic or global solution.

Any feedback would be appreciated.



    CommentAdd your comment...

    1 answer


      Mark, the Avoka platform automatically encodes user entered data. You can verify this by checking the form XML in the transaction logs of Manager.

      For example, if I enter "A&<>B" in a text field, the value in the transaction XML is:


      This is the case whether you are using Maestro or Composer, so I'm confused as to why you are having a problem with this. Can you be more specific about the issues you are seeing?

      1. Mark Murray

        Hi Ben, strictly speaking this is not really user input into a form. The issue is in the prefill processing; the form is launched from our CRM instance, then the groovy script queries CRM to get more information, then puts that into xml in order to prefill the form. In this case the email address had an '&' in it, so when the data was processed to generate the xml it failed; the script is not well crafted to handle xml. I expected that the form would handle xml encoding, so it's good to have that confirmed. It seems our problems are not the form itself but our script processing before and after the form. So, the solution is to fix our scripts, rather than focus on the form itself. Thanks Mark

      CommentAdd your comment...