From e4723f7f7492de5cb50b49d1c90c26600c712595 Mon Sep 17 00:00:00 2001
From: Daniel Mach <daniel.mach@suse.com>
Date: Fri, 3 Mar 2023 13:20:54 +0100
Subject: [PATCH] Replace arbitrary XML escaping code with xml_escape()

---
 osc/babysitter.py  | 3 ++-
 osc/commandline.py | 3 +--
 osc/core.py        | 3 +--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/osc/babysitter.py b/osc/babysitter.py
index 25445a68..521eabc3 100644
--- a/osc/babysitter.py
+++ b/osc/babysitter.py
@@ -16,6 +16,7 @@ from urllib.error import URLError, HTTPError
 
 import urllib3.exceptions
 
+from . import _private
 from . import commandline
 from . import oscerr
 from .OscConfigParser import configparser
@@ -112,7 +113,7 @@ def run(prg, argv=None):
             if b'<summary>' in body:
                 msg = body.split(b'<summary>')[1]
                 msg = msg.split(b'</summary>')[0]
-                msg = msg.replace(b'&lt;', b'<').replace(b'&gt;', b'>').replace(b'&amp;', b'&')
+                msg = _private.api.xml_escape(msg)
                 print(decode_it(msg), file=sys.stderr)
         if e.code >= 500 and e.code <= 599:
             print('\nRequest: %s' % e.filename)
diff --git a/osc/commandline.py b/osc/commandline.py
index a594334f..1d61eabc 100644
--- a/osc/commandline.py
+++ b/osc/commandline.py
@@ -1450,9 +1450,8 @@ class Osc(cmdln.Cmdln):
                 raise oscerr.WrongOptions('no attribute given to create')
             values = ''
             if opts.set:
-                opts.set = opts.set.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;')
                 for i in opts.set.split(','):
-                    values += '<value>%s</value>' % i
+                    values += '<value>%s</value>' % _private.api.xml_escape(i)
             aname = opts.attribute.split(":")
             if len(aname) != 2:
                 raise oscerr.WrongOptions('Given attribute is not in "NAMESPACE:NAME" style')
diff --git a/osc/core.py b/osc/core.py
index 0991bd93..8a2c38c6 100644
--- a/osc/core.py
+++ b/osc/core.py
@@ -7089,8 +7089,7 @@ def get_commitlog(
             r.append('<author>%s</author>' % user)
             r.append('<date>%s</date>' % t)
             r.append('<requestid>%s</requestid>' % requestid)
-            r.append('<msg>%s</msg>' %
-                     decode_it(comment).replace('&', '&amp;').replace('<', '&gt;').replace('>', '&lt;'))
+            r.append('<msg>%s</msg>' % _private.api.xml_escape(decode_it(comment)))
             r.append('</logentry>')
         else:
             if requestid: