Checked user input in XML responses.

Fixes bug 1183884. * swift/account/utils.py: Escape account name in XML listings. Change-Id: I2392d012ddeec05a267c3dcf14748112316096f3
openstack · Jun 13, 2013 · 8f9b135 · 8f9b135
1 parent 6001b45
commit 8f9b135
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/swift/account/utils.py b/swift/account/utils.py
@@ -96,7 +96,7 @@ def account_listing_response(account, req, response_content_type, broker=None,
         account_list = json.dumps(data)
     elif response_content_type.endswith('/xml'):
         output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                       '<account name="%s">' % account]
+                       '<account name="%s">' % saxutils.escape(account)]
         for (name, object_count, bytes_used, is_subdir) in account_list:
             name = saxutils.escape(name)
             if is_subdir: