Fixing bug #4281: Better escaping of XML attributes.

author: Pierre-Marie Pédrot 2015-07-28 15:10:35 +0200
committer: Pierre-Marie Pédrot 2015-07-28 15:11:03 +0200
commit: e706bbd36237abc6c63d3e30cdaf9a42ac458215 (patch)
tree: 3ad1c1161fd9e09fee79575218689af5767f56f7
parent: 01248339f4f18cc1635b591447d343a1b4565a80 (diff)
2 files changed, 12 insertions, 0 deletions
diff --git a/lib/xml_lexer.mll b/lib/xml_lexer.mll
index a33be9da73..f6943dd132 100644
--- a/lib/xml_lexer.mll
+++ b/lib/xml_lexer.mll
@@ -281,6 +281,11 @@ and dq_string = parse
                         Buffer.add_char tmp (lexeme_char lexbuf 1);
                         dq_string lexbuf
                 }
+        | '&'
+                {
+                        Buffer.add_string tmp (entity lexbuf);
+                        dq_string lexbuf
+                }
         | eof
                 { raise (Error EUnterminatedString) }
         | _
@@ -297,6 +302,11 @@ and q_string = parse
                         Buffer.add_char tmp (lexeme_char lexbuf 1);
                         q_string lexbuf
                 }
+        | '&'
+                {
+                        Buffer.add_string tmp (entity lexbuf);
+                        q_string lexbuf
+                }
         | eof
                 { raise (Error EUnterminatedString) }
         | _
diff --git a/lib/xml_printer.ml b/lib/xml_printer.ml
index eeddd53cb8..bbb7b51ba3 100644
--- a/lib/xml_printer.ml
+++ b/lib/xml_printer.ml
@@ -46,6 +46,8 @@ let buffer_attr tmp (n,v) =
     match v.[p] with
       | '\\' -> output "\\\\"
       | '"' -> output "\\\""
+      | '<' -> output "&lt;"
+      | '&' -> output "&amp;"
       | c -> output' c
   done;
   output' '"'
author	Pierre-Marie Pédrot	2015-07-28 15:10:35 +0200
committer	Pierre-Marie Pédrot	2015-07-28 15:11:03 +0200
commit	e706bbd36237abc6c63d3e30cdaf9a42ac458215 (patch)
tree	3ad1c1161fd9e09fee79575218689af5767f56f7
parent	01248339f4f18cc1635b591447d343a1b4565a80 (diff)