From e86a489c353ee3e5e48712f4b85a5e4c4656a0e3 Mon Sep 17 00:00:00 2001
From: Ivan Kanakarakis <ivan.kanak@gmail.com>
Date: Tue, 14 May 2019 15:26:20 +0200
Subject: Escape single and double quotes, always

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
---
 src/saml2/pack.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/saml2/pack.py b/src/saml2/pack.py
index fc651645..5a2534c2 100644
--- a/src/saml2/pack.py
+++ b/src/saml2/pack.py
@@ -68,6 +68,10 @@ HTML_FORM_SPEC = """<!DOCTYPE html>
 </html>"""
 
 
+def _html_escape(payload):
+    return html.escape(payload, quote=True)
+
+
 def http_form_post_message(message, location, relay_state="",
                            typ="SAMLRequest", **kwargs):
     """The HTTP POST binding defines a mechanism by which SAML protocol
@@ -91,15 +95,15 @@ def http_form_post_message(message, location, relay_state="",
     _msg = _msg.decode('ascii')
 
     saml_response_input = HTML_INPUT_ELEMENT_SPEC.format(
-            name=html.escape(typ),
-            val=html.escape(_msg),
+            name=_html_escape(typ),
+            val=_html_escape(_msg),
             type='hidden')
 
     relay_state_input = ""
     if relay_state:
         relay_state_input = HTML_INPUT_ELEMENT_SPEC.format(
                 name='RelayState',
-                val=html.escape(relay_state),
+                val=_html_escape(relay_state),
                 type='hidden')
 
     response = HTML_FORM_SPEC.format(
-- 
cgit v1.2.1