Never include '&' in attribute values

Fixes: https://github.com/hughsie/lvfs-website/issues/33
hughsie · Jan 30, 2018 · 6048520 · 6048520
1 parent bdcec1e
commit 6048520
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/libappstream-glib/as-node.c b/libappstream-glib/as-node.c
@@ -327,12 +327,17 @@ as_node_get_attr_string (AsNodeData *data)
 
 	str = g_string_new ("");
 	for (l = data->attrs; l != NULL; l = l->next) {
+		g_autoptr(GString) value_safe = NULL;
 		attr = l->data;
 		if (g_strcmp0 (attr->key, "@comment") == 0 ||
 		    g_strcmp0 (attr->key, "@comment-tmp") == 0)
 			continue;
+		value_safe = g_string_new (attr->value);
+		as_utils_string_replace (value_safe, "&", "&amp;");
+		as_utils_string_replace (value_safe, "<", "&lt;");
+		as_utils_string_replace (value_safe, ">", "&gt;");
 		g_string_append_printf (str, " %s=\"%s\"",
-					attr->key, attr->value);
+					attr->key, value_safe->str);
 	}
 	return g_string_free (str, FALSE);
 }

diff --git a/libappstream-glib/as-self-test.c b/libappstream-glib/as-self-test.c
@@ -1047,7 +1047,7 @@ as_test_checksum_func (void)
 	AsNode *n;
 	AsNode *root;
 	GString *xml;
-	const gchar *src = "<checksum type=\"sha1\" filename=\"fn.cab\" target=\"container\">12345</checksum>";
+	const gchar *src = "<checksum type=\"sha1\" filename=\"f&amp;n.cab\" target=\"container\">12&amp;45</checksum>";
 	gboolean ret;
 	g_autoptr(AsNodeContext) ctx = NULL;
 	g_autoptr(AsChecksum) csum = NULL;
@@ -1077,8 +1077,8 @@ as_test_checksum_func (void)
 	/* verify */
 	g_assert_cmpint (as_checksum_get_kind (csum), ==, G_CHECKSUM_SHA1);
 	g_assert_cmpint (as_checksum_get_target (csum), ==, AS_CHECKSUM_TARGET_CONTAINER);
-	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "fn.cab");
-	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12345");
+	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "f&n.cab");
+	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12&45");
 
 	/* back to node */
 	root = as_node_new ();