Check user input in XML responses.

Fixes bug 1183884. * swift/account/server.py: Escape account name in XML listings. Change-Id: I33f25aa02c96a72cb54c9d7ebd916d06a8a69edf
openstack · Jun 13, 2013 · 4eed6bf · 4eed6bf
1 parent 0ce3e1d
commit 4eed6bf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/swift/account/server.py b/swift/account/server.py
@@ -275,7 +275,7 @@ def GET(self, req):
             account_list = json.dumps(data)
         elif out_content_type.endswith('/xml'):
             output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                           '<account name="%s">' % account]
+                           '<account name="%s">' % saxutils.escape(account)]
             for (name, object_count, bytes_used, is_subdir) in account_list:
                 name = saxutils.escape(name)
                 if is_subdir: