From fe082e7537abe7081d457d800aa1bfeac282d3b6 Mon Sep 17 00:00:00 2001
From: Alex Ling <hkalexling@gmail.com>
Date: Tue, 30 Jun 2020 16:44:42 +0000
Subject: [PATCH] Escape illegal characters in XML (#82)

---
 src/util.cr                  | 10 ++++++++++
 src/views/opds/index.xml.ecr |  2 +-
 src/views/opds/title.xml.ecr |  6 +++---
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/util.cr b/src/util.cr
index c9dfa2b..57d0e9b 100644
--- a/src/util.cr
+++ b/src/util.cr
@@ -154,3 +154,13 @@ def ctime(file_path : String) : Time
     Time.new stat.st_ctim, Time::Location::UTC
   {% end %}
 end
+
+def escape_xml(str)
+  str.gsub({
+    '>'  => "&gt;",
+    '<'  => "&lt;",
+    '"'  => "&quot;",
+    '\'' => "&apos;",
+    '&'  => "&amp;",
+  })
+end
diff --git a/src/views/opds/index.xml.ecr b/src/views/opds/index.xml.ecr
index 2d84b63..ef9e717 100644
--- a/src/views/opds/index.xml.ecr
+++ b/src/views/opds/index.xml.ecr
@@ -14,7 +14,7 @@
 
   <% titles.each do |t| %>
     <entry>
-      <title><%= t.display_name %></title>
+      <title><%= escape_xml(t.display_name) %></title>
       <id>urn:mango:<%= t.id %></id>
       <link type="application/atom+xml;profile=opds-catalog;kind=navigation" rel="subsection" href="<%= base_url %>opds/book/<%= t.id %>" />
     </entry>
diff --git a/src/views/opds/title.xml.ecr b/src/views/opds/title.xml.ecr
index 80eadfa..3aec8b7 100644
--- a/src/views/opds/title.xml.ecr
+++ b/src/views/opds/title.xml.ecr
@@ -5,7 +5,7 @@
   <link rel="self" href="<%= base_url %>opds/book/<%= title.id %>" type="application/atom+xml;profile=opds-catalog;kind=navigation" />
   <link rel="start" href="<%= base_url %>opds/" type="application/atom+xml;profile=opds-catalog;kind=navigation" />
 
-  <title><%= title.display_name %></title>
+  <title><%= escape_xml(title.display_name) %></title>
 
   <author>
     <name>Mango</name>
@@ -14,7 +14,7 @@
 
   <% title.titles.each do |t| %>
     <entry>
-      <title><%= t.display_name %></title>
+      <title><%= escape_xml(t.display_name) %></title>
       <id>urn:mango:<%= t.id %></id>
       <link type="application/atom+xml;profile=opds-catalog;kind=navigation" rel="subsection" href="<%= base_url %>opds/book/<%= t.id %>" />
     </entry>
@@ -22,7 +22,7 @@
 
   <% title.entries.each do |e| %>
     <entry>
-      <title><%= e.display_name %></title>
+      <title><%= escape_xml(e.display_name) %></title>
       <id>urn:mango:<%= e.id %></id>
 
       <link rel="http://opds-spec.org/image" href="<%= e.cover_url %>" />