diff --git a/src/util.cr b/src/util.cr
index c9dfa2b..57d0e9b 100644
--- a/src/util.cr
+++ b/src/util.cr
@@ -154,3 +154,13 @@ def ctime(file_path : String) : Time
Time.new stat.st_ctim, Time::Location::UTC
{% end %}
end
+
+def escape_xml(str)
+ str.gsub({
+ '>' => ">",
+ '<' => "<",
+ '"' => """,
+ '\'' => "'",
+ '&' => "&",
+ })
+end
diff --git a/src/views/opds/index.xml.ecr b/src/views/opds/index.xml.ecr
index 2d84b63..ef9e717 100644
--- a/src/views/opds/index.xml.ecr
+++ b/src/views/opds/index.xml.ecr
@@ -14,7 +14,7 @@
<% titles.each do |t| %>
- <%= t.display_name %>
+ <%= escape_xml(t.display_name) %>
urn:mango:<%= t.id %>
diff --git a/src/views/opds/title.xml.ecr b/src/views/opds/title.xml.ecr
index 80eadfa..3aec8b7 100644
--- a/src/views/opds/title.xml.ecr
+++ b/src/views/opds/title.xml.ecr
@@ -5,7 +5,7 @@
- <%= title.display_name %>
+ <%= escape_xml(title.display_name) %>
Mango
@@ -14,7 +14,7 @@
<% title.titles.each do |t| %>
- <%= t.display_name %>
+ <%= escape_xml(t.display_name) %>
urn:mango:<%= t.id %>
@@ -22,7 +22,7 @@
<% title.entries.each do |e| %>
- <%= e.display_name %>
+ <%= escape_xml(e.display_name) %>
urn:mango:<%= e.id %>