From 29571250d76fba34d7707b6aa37291d9bc36e3d4 Mon Sep 17 00:00:00 2001
From: Adam Hodowany <kaczor555@gmail.com>
Date: Wed, 28 Aug 2024 11:38:39 +0200
Subject: [PATCH] Strip comments from SAML Response XML during scan

---
 src/esaml_binding.erl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/esaml_binding.erl b/src/esaml_binding.erl
index c59459d..669fd01 100644
--- a/src/esaml_binding.erl
+++ b/src/esaml_binding.erl
@@ -39,7 +39,7 @@ xml_payload_type(Xml) ->
 -spec decode_response(SAMLEncoding :: binary(), SAMLResponse :: binary()) -> #xmlDocument{}.
 decode_response(?deflate, SAMLResponse) ->
 	XmlData = binary_to_list(zlib:unzip(base64:decode(SAMLResponse))),
-	{Xml, _} = xmerl_scan:string(XmlData, [{namespace_conformant, true}]),
+	{Xml, _} = xmerl_scan:string(XmlData, [{namespace_conformant, true}, {comments, false}]),
     Xml;
 decode_response(_, SAMLResponse) ->
 	Data = base64:decode(SAMLResponse),
@@ -47,7 +47,7 @@ decode_response(_, SAMLResponse) ->
         {'EXIT', _} -> binary_to_list(Data);
         Bin -> binary_to_list(Bin)
     end,
-	{Xml, _} = xmerl_scan:string(XmlData, [{namespace_conformant, true}]),
+	{Xml, _} = xmerl_scan:string(XmlData, [{namespace_conformant, true}, {comments, false}]),
     Xml.
 
 %% @doc Encode a SAMLRequest (or SAMLResponse) as an HTTP-Redirect binding