Namespace URI is not encoded

[Marcono1234]

Related to #48

It appears the URI argument for org.dom4j.Namespace is not encoded but is written as is to the XML string. This can cause malformed XML and might even allow XML injection.

Element root = DocumentHelper.createElement("root");
root.addElement("name", "http://example.com/namespace\"><test>");
// <root><name xmlns="http://example.com/namespace"><test>"/></root>
System.out.println(root.asXML());

This is also problematic because the Namespace URI is decoded when read from XML. So reading valid XML with a URI containing encoded characters can lead to malformed XML when the same document is written again.

[ecki]

Is it better to url encode or xml encode those attributes? (I would think xml encoding or rejecting those values is better than messing with url escaping/normalization.

[Marcono1234]

The right approach might be to XML encode them since the W3C Recommendation for Namespaces in XML §2.3 says:

[Definition: The two URIs are treated as strings, and they are identical if and only if the strings are identical, that is, if they are the same sequence of characters. ] The comparison is case-sensitive, and no %-escaping is done or undone.

So (to my understanding) performing URL encoding could change the meaning and should therefore not be done.