Escape XML strings.

Since
  <creator>John Doe <jdoe@example.com></creator>
is not valid XML.

diff --git a/becommands/show.py b/becommands/show.py
index 7c4825781ab821463ef2c1c743cb5967676517ac..0ef09f3786fdffc1484c6bc747d07fd7a8058374 100644 (file)
--- a/becommands/show.py
+++ b/becommands/show.py
@@ -35,17 +35,14 @@ def execute(args, test=False):
          Created : Wed, 31 Dec 1969 19:00 (Thu, 01 Jan 1970 00:00:00 +0000)
     Bug A
     <BLANKLINE>
-    >>> execute (["--xml", "a"], test=True)
+    >>> execute (["--xml", "a"], test=True) # doctest: +ELLIPSIS
     <bug>
       <uuid>a</uuid>
       <short-name>a</short-name>
       <severity>minor</severity>
       <status>open</status>
-      <assigned><class 'libbe.settings_object.EMPTY'></assigned>
-      <target><class 'libbe.settings_object.EMPTY'></target>
-      <reporter><class 'libbe.settings_object.EMPTY'></reporter>
-      <creator>John Doe <jdoe@example.com></creator>
-      <created>Wed, 31 Dec 1969 19:00 (Thu, 01 Jan 1970 00:00:00 +0000)</created>
+      <creator>John Doe &lt;jdoe@example.com&gt;</creator>
+      <created>...</created>
       <summary>Bug A</summary>
     </bug>
     """

diff --git a/libbe/bug.py b/libbe/bug.py
index 59b011bd490c1a466f85c731e4a3c791c416aea9..0e54a1ad3e2ba24379917a5d227f6b8008448c53 100644 (file)
--- a/libbe/bug.py
+++ b/libbe/bug.py
@@ -18,6 +18,7 @@ import os
 import os.path
 import errno
 import time
+import xml.sax.saxutils
 import doctest
 
 from beuuid import uuid_gen
@@ -261,7 +262,7 @@ class Bug(settings_object.SavedSettingsObject):
         ret = '<bug>\n'
         for (k,v) in info:
             if v is not settings_object.EMPTY:
-                ret += '  <%s>%s</%s>\n' % (k,v,k)
+                ret += '  <%s>%s</%s>\n' % (k,xml.sax.saxutils.escape(v),k)
 
         if show_comments == True:
             comout = self.comment_root.xml_thread(auto_name_map=True,

diff --git a/libbe/comment.py b/libbe/comment.py
index 8d03a7b608e77daf10335e3cdd9a5dfef377b8e8..d0fa5ee9a3c34f9084e2804e7b89ee97bee01580 100644 (file)
--- a/libbe/comment.py
+++ b/libbe/comment.py
@@ -19,6 +19,7 @@
 import os
 import os.path
 import time
+import xml.sax.saxutils
 import textwrap
 import doctest
 
@@ -234,16 +235,17 @@ class Comment(Tree, settings_object.SavedSettingsObject):
         """
         if shortname == None:
             shortname = self.uuid
-        lines = ["<comment>",
-                 "  <uuid>%s</uuid>" % self.uuid,
-                 "  <short-name>%s</short-name>" % (shortname,),]
-        if self.in_reply_to != settings_object.EMPTY:
-            lines.append("  <in-reply-to>%s</in-reply-to>" % self.in_reply_to)
-        lines.extend([
-                "  <from>%s</from>" % self._setting_attr_string("From"),
-                "  <date>%s</date>" % self.time_string,
-                "  <body>%s</body>" % (self.body or "").rstrip('\n'),
-                "</comment>\n"])
+        info = [("uuid", self.uuid),
+                ("short-name", shortname),
+                ("in-reply-to", self.in_reply_to),
+                ("from", self._setting_attr_string("From")),
+                ("date", self.time_string),
+                ("body", (self.body or "").rstrip('\n'))]
+        lines = ["<comment>"]
+        for (k,v) in info:
+            if v not in [settings_object.EMPTY, None]:
+                lines.append('  <%s>%s</%s>' % (k,xml.sax.saxutils.escape(v),k))
+        lines.append("</comment>")
         istring = ' '*indent
         sep = '\n' + istring
         return istring + sep.join(lines).rstrip('\n')