From 9096223ea354ff3616deac0d982837eae026c0a9 Mon Sep 17 00:00:00 2001
From: Jordan <me@jordan.im>
Date: Mon, 6 Apr 2020 00:27:57 -0700
Subject: ensure XML-safety of attribute values

---
 run.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/run.py b/run.py
index f2899f4..e33b149 100755
--- a/run.py
+++ b/run.py
@@ -40,6 +40,17 @@ def check_auth(username, password):
 
     return ret
 
+def escape(s):
+    '''
+    Ensure XML-safety of attribute values
+    '''
+    s = s.replace('&', '&amp;')
+    s = s.replace('<', '&lt;')
+    s = s.replace('>', '&gt;')
+    s = s.replace('\'', '&quot;')
+
+    return s
+
 @app.route('/')
 def list_books():
     '''
@@ -148,10 +159,10 @@ def list_books():
             item = ET.SubElement(channel, 'item')
 
             title = ET.SubElement(item, 'title')
-            title.text = books[a]['files'][f]['title']
+            title.text = escape(books[a]['files'][f]['title'])
 
             author = ET.SubElement(item, 'itunes:author')
-            author.text = books[a]['files'][f]['author']
+            author.text = escape(books[a]['files'][f]['author'])
 
             category = ET.SubElement(item, 'itunes:category')
             category.text = 'Book'
-- 
cgit v1.2.3-54-g00ecf