Merge pull request #11984 from adrianschroeter/fix_patchinfo_encode

[api] fix encoding on patchinfo creation

src/api/app/models/patchinfo.rb

@@ -162,9 +162,9 @@ def create_patchinfo_from_request(project, req)
     xml = patchinfo_node(project)
 
     description = req.description || ''
-    xml.add_child("<packager>#{req.creator}</packager>")
-    xml.add_child("<summary>#{description.split(/\n|\r\n/)[0]}</summary>") # first line only
-    xml.add_child("<description>#{description}</description>")
+    xml.add_child("<packager>#{CGI.escapeHTML(req.creator)}</packager>")
+    xml.add_child("<summary>#{CGI.escapeHTML(description.split(/\n|\r\n/)[0] || '')}</summary>") # first line only
+    xml.add_child("<description>#{CGI.escapeHTML(description)}</description>")
 
     xml = update_patchinfo(project, xml, enfore_issue_update: true)
     Backend::Api::Sources::Package.write_patchinfo(@pkg.project.name, @pkg.name, User.session!.login, xml.to_xml,
@@ -210,8 +210,12 @@ def create_patchinfo(project, pkg_name, opts = {})
 
     # create patchinfo XML file
     xml = patchinfo_node(@pkg.project)
-    xml.add_child("<packager>#{User.session!.login}</packager>")
-    xml.add_child("<summary>#{opts[:comment]}</summary>")
+    xml.add_child("<packager>#{CGI.escapeHTML(User.session!.login)}</packager>")
+    if opts[:comment].present?
+      xml.add_child("<summary>#{CGI.escapeHTML(opts[:comment])}</summary>")
+    else
+      xml.add_child('<summary/>')
+    end
     xml.add_child('<description/>')
     xml = update_patchinfo(@pkg.project, xml)
     if CONFIG['global_write_through']

src/api/test/functional/maintenance_test.rb

@@ -208,12 +208,13 @@ def test_maintenance_request_from_foreign_and_remote_project
                                    <state name="new" />
                                  </request>'
     assert_response :success
+    # note the &lt; inside description to test html encoding for _patchinfo file
     post '/request?cmd=create&addrevision=1', params: '<request>
                                    <action type="maintenance_incident">
                                      <source project="RemoteInstance:kde4" package="kdelibs" />
                                      <target project="My:Maintenance" releaseproject="BaseDistro2.0:LinkedUpdateProject" />
                                    </action>
-                                   <description>To fix my bug</description>
+                                   <description>To fix my &lt;bug</description>
                                    <state name="new" />
                                  </request>'
     assert_response :success
@@ -262,7 +263,7 @@ def test_maintenance_request_from_foreign_and_remote_project
     assert_response :success
     assert_xml_tag tag: 'packager', content: 'tom'
     assert_xml_tag(tag: 'patchinfo', attributes: { incident: '0' })
-    assert_xml_tag tag: 'description', content: 'To fix my bug'
+    assert_xml_tag tag: 'description', content: 'To fix my <bug'
 
     # again but find update project automatically and use a linked package
     login_tom