Never include '&' in attribute values

Fixes: https://github.com/hughsie/lvfs-website/issues/33
author: Richard Hughes <richard@hughsie.com> 2018-01-30 23:03:59 +0000
committer: Richard Hughes <richard@hughsie.com> 2018-01-30 23:03:59 +0000
commit: 6048520484101df5d33f3c852c10640e630d20cf (patch)
tree: 37fb32e1521d44f7c9a3c308630b63357077b856 /libappstream-glib/as-node.c
parent: bdcec1ecee0549e404fdf40dc4529b4380ef87ea (diff)
download: appstream-glib-6048520484101df5d33f3c852c10640e630d20cf.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libappstream-glib/as-node.c b/libappstream-glib/as-node.c
index f8199a9..945c465 100644
--- a/libappstream-glib/as-node.c
+++ b/libappstream-glib/as-node.c
@@ -327,12 +327,17 @@ as_node_get_attr_string (AsNodeData *data)
 
 	str = g_string_new ("");
 	for (l = data->attrs; l != NULL; l = l->next) {
+		g_autoptr(GString) value_safe = NULL;
 		attr = l->data;
 		if (g_strcmp0 (attr->key, "@comment") == 0 ||
 		    g_strcmp0 (attr->key, "@comment-tmp") == 0)
 			continue;
+		value_safe = g_string_new (attr->value);
+		as_utils_string_replace (value_safe, "&", "&amp;");
+		as_utils_string_replace (value_safe, "<", "&lt;");
+		as_utils_string_replace (value_safe, ">", "&gt;");
 		g_string_append_printf (str, " %s=\"%s\"",
-					attr->key, attr->value);
+					attr->key, value_safe->str);
 	}
 	return g_string_free (str, FALSE);
 }
author	Richard Hughes <richard@hughsie.com>	2018-01-30 23:03:59 +0000
committer	Richard Hughes <richard@hughsie.com>	2018-01-30 23:03:59 +0000
commit	6048520484101df5d33f3c852c10640e630d20cf (patch)
tree	37fb32e1521d44f7c9a3c308630b63357077b856 /libappstream-glib/as-node.c
parent	bdcec1ecee0549e404fdf40dc4529b4380ef87ea (diff)
download	appstream-glib-6048520484101df5d33f3c852c10640e630d20cf.tar.gz