ensure XML-safety of attribute values

author: Jordan <me@jordan.im> 2020-04-06 00:27:57 -0700
committer: Jordan <me@jordan.im> 2020-04-06 00:27:57 -0700
commit: 9096223ea354ff3616deac0d982837eae026c0a9 (patch)
tree: 9e5d1b75c8c240047977888b73b6a82456d428ac
parent: 187b714507a2e9f8642dedbb24f2766ecfa55454 (diff)
download: roka-9096223ea354ff3616deac0d982837eae026c0a9.tar.gz
roka-9096223ea354ff3616deac0d982837eae026c0a9.zip
1 files changed, 13 insertions, 2 deletions
diff --git a/run.py b/run.py
index f2899f4..e33b149 100755
--- a/run.py
+++ b/run.py
@@ -40,6 +40,17 @@ def check_auth(username, password):
 
     return ret
 
+def escape(s):
+    '''
+    Ensure XML-safety of attribute values
+    '''
+    s = s.replace('&', '&amp;')
+    s = s.replace('<', '&lt;')
+    s = s.replace('>', '&gt;')
+    s = s.replace('\'', '&quot;')
+
+    return s
+
 @app.route('/')
 def list_books():
     '''
@@ -148,10 +159,10 @@ def list_books():
             item = ET.SubElement(channel, 'item')
 
             title = ET.SubElement(item, 'title')
-            title.text = books[a]['files'][f]['title']
+            title.text = escape(books[a]['files'][f]['title'])
 
             author = ET.SubElement(item, 'itunes:author')
-            author.text = books[a]['files'][f]['author']
+            author.text = escape(books[a]['files'][f]['author'])
 
             category = ET.SubElement(item, 'itunes:category')
             category.text = 'Book'
author	Jordan <me@jordan.im>	2020-04-06 00:27:57 -0700
committer	Jordan <me@jordan.im>	2020-04-06 00:27:57 -0700
commit	9096223ea354ff3616deac0d982837eae026c0a9 (patch)
tree	9e5d1b75c8c240047977888b73b6a82456d428ac
parent	187b714507a2e9f8642dedbb24f2766ecfa55454 (diff)
download	roka-9096223ea354ff3616deac0d982837eae026c0a9.tar.gz roka-9096223ea354ff3616deac0d982837eae026c0a9.zip