Escape XML reserved characters when writing JATS-formatted text to database

rhigman · rhigman · commit d25c31dbb5a3 · 2026-05-13T15:40:14.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed
+  - [751](https://github.com/thoth-pub/thoth/pull/751) - Escape XML reserved characters when writing JATS-formatted text to database
 
 ## [[1.3.1]](https://github.com/thoth-pub/thoth/releases/tag/v1.3.1) - 2026-05-06
 ### Security
diff --git a/thoth-api/src/markup/ast.rs b/thoth-api/src/markup/ast.rs
@@ -30,6 +30,19 @@ fn inline_text_to_plain_text(nodes: &[Node]) -> String {
     nodes.iter().map(ast_to_plain_text).collect()
 }
 
+fn escape_xml_text(input: &str) -> String {
+    input
+        .replace('&', "&amp;")
+        .replace('<', "&lt;")
+        .replace('>', "&gt;")
+}
+
+fn escape_xml_attr(input: &str) -> String {
+    escape_xml_text(input)
+        .replace('"', "&quot;")
+        .replace('\'', "&apos;")
+}
+
 fn looks_like_email(text: &str) -> bool {
     regex::Regex::new(r"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$")
         .unwrap()
@@ -680,16 +693,16 @@ pub fn plain_text_to_ast(text: &str) -> Node {
 pub fn plain_text_ast_to_jats(node: &Node) -> String {
     fn render_plain_text_inline(node: &Node) -> String {
         match node {
-            Node::Text(text) => text.clone(),
+            Node::Text(text) => escape_xml_text(text),
             Node::Break => "<break/>".to_string(),
             Node::InlineFormula(tex) => {
                 format!(
                     "<inline-formula><tex-math>{}</tex-math></inline-formula>",
-                    tex
+                    escape_xml_text(tex)
                 )
             }
-            Node::Email(email) => format!("<email>{}</email>", email),
-            Node::Uri(uri) => format!("<uri>{}</uri>", uri),
+            Node::Email(email) => format!("<email>{}</email>", escape_xml_text(email)),
+            Node::Uri(uri) => format!("<uri>{}</uri>", escape_xml_text(uri)),
             other => ast_to_jats(other),
         }
     }
@@ -712,16 +725,16 @@ pub fn plain_text_ast_to_jats(node: &Node) -> String {
             let inner: String = children.iter().map(render_plain_text_inline).collect();
             format!("<p>{}</p>", inner)
         }
-        Node::Text(text) => format!("<p>{}</p>", text),
+        Node::Text(text) => format!("<p>{}</p>", escape_xml_text(text)),
         Node::Break => "<p><break/></p>".to_string(),
         Node::InlineFormula(tex) => {
             format!(
                 "<p><inline-formula><tex-math>{}</tex-math></inline-formula></p>",
-                tex
+                escape_xml_text(tex)
             )
         }
-        Node::Email(email) => format!("<p><email>{}</email></p>", email),
-        Node::Uri(uri) => format!("<p><uri>{}</uri></p>", uri),
+        Node::Email(email) => format!("<p><email>{}</email></p>", escape_xml_text(email)),
+        Node::Uri(uri) => format!("<p><uri>{}</uri></p>", escape_xml_text(uri)),
         _ => {
             // For other nodes, use regular ast_to_jats
             ast_to_jats(node)
@@ -780,17 +793,21 @@ pub fn ast_to_jats(node: &Node) -> String {
         }
         Node::Link { url, text } => {
             let inner: String = text.iter().map(ast_to_jats).collect();
-            format!(r#"<ext-link xlink:href="{}">{}</ext-link>"#, url, inner)
+            format!(
+                r#"<ext-link xlink:href="{}">{}</ext-link>"#,
+                escape_xml_attr(url),
+                inner
+            )
         }
         Node::InlineFormula(tex) => {
             format!(
                 "<inline-formula><tex-math>{}</tex-math></inline-formula>",
-                tex
+                escape_xml_text(tex)
             )
         }
-        Node::Email(email) => format!("<email>{}</email>", email),
-        Node::Uri(uri) => format!("<uri>{}</uri>", uri),
-        Node::Text(text) => text.clone(),
+        Node::Email(email) => format!("<email>{}</email>", escape_xml_text(email)),
+        Node::Uri(uri) => format!("<uri>{}</uri>", escape_xml_text(uri)),
+        Node::Text(text) => escape_xml_text(text),
     }
 }
 
@@ -1997,6 +2014,64 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_ast_to_jats_escapes_reserved_xml_chars() {
+        let ast = Node::Paragraph(vec![
+            Node::Text("x < y & z > w ".to_string()),
+            Node::InlineFormula("a < b & c".to_string()),
+            Node::Text(" ".to_string()),
+            Node::Email("user@example.org".to_string()),
+            Node::Text(" ".to_string()),
+            Node::Uri("https://example.org?a=1&b=2".to_string()),
+        ]);
+
+        let jats = ast_to_jats(&ast);
+        assert_eq!(
+            jats,
+            "<p>x &lt; y &amp; z &gt; w <inline-formula><tex-math>a &lt; b &amp; c</tex-math></inline-formula> <email>user@example.org</email> <uri>https://example.org?a=1&amp;b=2</uri></p>"
+        );
+    }
+
+    #[test]
+    fn test_ast_to_jats_escapes_link_url_attribute() {
+        let ast = Node::Link {
+            url: "https://example.com?a=1&b=2".to_string(),
+            text: vec![Node::Text("Link text".to_string())],
+        };
+
+        let jats = ast_to_jats(&ast);
+        assert_eq!(
+            jats,
+            r#"<ext-link xlink:href="https://example.com?a=1&amp;b=2">Link text</ext-link>"#
+        );
+    }
+
+    #[test]
+    fn test_ast_to_jats_preserves_generated_tags() {
+        let ast = Node::Paragraph(vec![
+            Node::Bold(vec![Node::Text("Bold".to_string())]),
+            Node::Text(" and ".to_string()),
+            Node::Italic(vec![Node::Text("italic".to_string())]),
+        ]);
+
+        let jats = ast_to_jats(&ast);
+        assert_eq!(jats, "<p><bold>Bold</bold> and <italic>italic</italic></p>");
+        assert!(!jats.contains("&lt;bold&gt;"));
+    }
+
+    #[test]
+    fn test_ast_to_jats_preserves_generated_tags_and_escapes() {
+        let ast = Node::Paragraph(vec![
+            Node::Bold(vec![Node::Text("Bo<ld".to_string())]),
+            Node::Text(" & ".to_string()),
+            Node::Italic(vec![Node::Text("ita>lic".to_string())]),
+        ]);
+
+        let jats = ast_to_jats(&ast);
+        assert_eq!(jats, "<p><bold>Bo&lt;ld</bold> &amp; <italic>ita&gt;lic</italic></p>");
+        assert!(!jats.contains("&lt;bold&gt;"));
+    }
+
     #[test]
     fn test_ast_to_jats_break_formula_email_and_uri() {
         let ast = Node::Paragraph(vec![
diff --git a/thoth-api/src/markup/mod.rs b/thoth-api/src/markup/mod.rs
@@ -315,7 +315,7 @@ pub fn convert_to_jats(
     format: MarkupFormat,
     conversion_limit: ConversionLimit,
 ) -> ThothResult<String> {
-    if format == MarkupFormat::JatsXml {
+    let output = if format == MarkupFormat::JatsXml {
         let content_looks_like_jats = looks_like_markup(&content);
         let ast = if content_looks_like_jats {
             validate_jats_subset(&content, conversion_limit)?;
@@ -332,70 +332,61 @@ pub fn convert_to_jats(
 
         validate_ast_content(&processed_ast, conversion_limit)?;
 
-        return Ok(
-            if content_looks_like_jats || conversion_limit == ConversionLimit::Title {
-                ast_to_jats(&processed_ast)
-            } else {
-                plain_text_ast_to_jats(&processed_ast)
-            },
-        );
-    }
+        if content_looks_like_jats || conversion_limit == ConversionLimit::Title {
+            ast_to_jats(&processed_ast)
+        } else {
+            plain_text_ast_to_jats(&processed_ast)
+        }
+    } else {
+        validate_format(&content, &format)?;
 
-    validate_format(&content, &format)?;
+        match format {
+            MarkupFormat::Html => {
+                let ast = html_to_ast(&content);
+                let processed_ast = if conversion_limit == ConversionLimit::Title {
+                    strip_structural_elements_from_ast_for_conversion(&ast)
+                } else {
+                    ast
+                };
 
-    match format {
-        MarkupFormat::Html => {
-            // Use ast library to parse HTML and convert to JATS
-            let ast = html_to_ast(&content);
-
-            // For title conversion, strip structural elements before validation
-            let processed_ast = if conversion_limit == ConversionLimit::Title {
-                strip_structural_elements_from_ast_for_conversion(&ast)
-            } else {
-                ast
-            };
-
-            validate_ast_content(&processed_ast, conversion_limit)?;
-            Ok(ast_to_jats(&processed_ast))
-        }
+                validate_ast_content(&processed_ast, conversion_limit)?;
+                ast_to_jats(&processed_ast)
+            }
 
-        MarkupFormat::Markdown => {
-            // Use ast library to parse Markdown and convert to JATS
-            let ast = markdown_to_ast(&content);
-
-            // For title conversion, strip structural elements before validation
-            let processed_ast = if conversion_limit == ConversionLimit::Title {
-                strip_structural_elements_from_ast_for_conversion(&ast)
-            } else {
-                ast
-            };
-
-            validate_ast_content(&processed_ast, conversion_limit)?;
-            Ok(ast_to_jats(&processed_ast))
-        }
+            MarkupFormat::Markdown => {
+                let ast = markdown_to_ast(&content);
+                let processed_ast = if conversion_limit == ConversionLimit::Title {
+                    strip_structural_elements_from_ast_for_conversion(&ast)
+                } else {
+                    ast
+                };
 
-        MarkupFormat::PlainText => {
-            // Use ast library to parse plain text and convert to JATS
-            let ast = plain_text_to_ast(&content);
-
-            // For title conversion, strip structural elements before validation
-            let processed_ast = if conversion_limit == ConversionLimit::Title {
-                strip_structural_elements_from_ast_for_conversion(&ast)
-            } else {
-                ast
-            };
-
-            validate_ast_content(&processed_ast, conversion_limit)?;
-            Ok(if conversion_limit == ConversionLimit::Title {
-                // Title JATS should remain inline (no paragraph wrapper)
+                validate_ast_content(&processed_ast, conversion_limit)?;
                 ast_to_jats(&processed_ast)
-            } else {
-                plain_text_ast_to_jats(&processed_ast)
-            })
+            }
+
+            MarkupFormat::PlainText => {
+                let ast = plain_text_to_ast(&content);
+                let processed_ast = if conversion_limit == ConversionLimit::Title {
+                    strip_structural_elements_from_ast_for_conversion(&ast)
+                } else {
+                    ast
+                };
+
+                validate_ast_content(&processed_ast, conversion_limit)?;
+                if conversion_limit == ConversionLimit::Title {
+                    ast_to_jats(&processed_ast)
+                } else {
+                    plain_text_ast_to_jats(&processed_ast)
+                }
+            }
+
+            MarkupFormat::JatsXml => unreachable!("handled above"),
         }
+    };
 
-        MarkupFormat::JatsXml => unreachable!("handled above"),
-    }
+    validate_jats_subset(&output, conversion_limit)?;
+    Ok(output)
 }
 
 /// normalise stored abstract-like markup into the subset we safely emit to Crossref.
@@ -607,6 +598,64 @@ mod tests {
         assert_eq!(output, "<p>Hello <uri>https://example.com</uri> world</p>");
     }
 
+    #[test]
+    fn test_plain_text_abstract_escapes_reserved_xml_chars() {
+        let input = "x < y & z > w";
+        let output = convert_to_jats(
+            input.to_string(),
+            MarkupFormat::PlainText,
+            ConversionLimit::Abstract,
+        )
+        .unwrap();
+
+        assert_eq!(output, "<p>x &lt; y &amp; z &gt; w</p>");
+    }
+
+    #[test]
+    fn test_plain_text_jatsxml_abstract_escapes_reserved_xml_chars() {
+        let input = "x < y & z > w";
+        let output = convert_to_jats(
+            input.to_string(),
+            MarkupFormat::JatsXml,
+            ConversionLimit::Abstract,
+        )
+        .unwrap();
+
+        assert_eq!(output, "<p>x &lt; y &amp; z &gt; w</p>");
+    }
+
+    #[test]
+    fn test_plain_text_rich_content_escapes_xml_reserved_chars() {
+        let input = "x < y & user@example.org https://example.org?a=1&b=2 $a < b & c$ > w";
+        let output = convert_to_jats(
+            input.to_string(),
+            MarkupFormat::PlainText,
+            ConversionLimit::Abstract,
+        )
+        .unwrap();
+
+        assert_eq!(
+            output,
+            "<p>x &lt; y &amp; <email>user@example.org</email> <uri>https://example.org?a=1&amp;b=2</uri> <inline-formula><tex-math>a &lt; b &amp; c</tex-math></inline-formula> &gt; w</p>"
+        );
+    }
+
+    #[test]
+    fn test_html_link_url_escapes_reserved_xml_chars() {
+        let input = r#"<a href="https://example.com?a=1&amp;b=2">Link</a>"#;
+        let output = convert_to_jats(
+            input.to_string(),
+            MarkupFormat::Html,
+            ConversionLimit::Abstract,
+        )
+        .unwrap();
+
+        assert_eq!(
+            output,
+            r#"<p><ext-link xlink:href="https://example.com?a=1&amp;b=2">Link</ext-link></p>"#
+        );
+    }
+
     #[test]
     fn test_plain_text_no_url() {
         let input = "Just plain text.";
