Don't forget to escape XML in attributes. Thanks to the Postgres Q&A room on conference.jabber.org :)
--- a/util/stanza.lua Tue Nov 18 22:41:04 2008 +0000
+++ b/util/stanza.lua Wed Nov 19 05:02:13 2008 +0000
@@ -103,7 +103,7 @@
local attr_string = "";
if t.attr then
- for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, tostring(v)); end end
+ for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, xml_escape(tostring(v))); end end
end
return s_format("<%s%s>%s</%s>", t.name, attr_string, children_text, t.name);
end
@@ -111,7 +111,7 @@
function stanza_mt.top_tag(t)
local attr_string = "";
if t.attr then
- for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, tostring(v)); end end
+ for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, xml_escape(tostring(v))); end end
end
return s_format("<%s%s>", t.name, attr_string);
end