From 2d860d9b7c35086129f15caf2ccb7ceb907924a8 Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Thu, 1 Apr 2021 12:43:44 +0800
Subject: [PATCH] server: rTorrent: escape XML string

---
 .../services/rTorrent/util/XMLRPCSerializer.ts  | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/server/services/rTorrent/util/XMLRPCSerializer.ts b/server/services/rTorrent/util/XMLRPCSerializer.ts
index 8b530f80..f2d05134 100644
--- a/server/services/rTorrent/util/XMLRPCSerializer.ts
+++ b/server/services/rTorrent/util/XMLRPCSerializer.ts
@@ -23,10 +23,19 @@ const value = (value: XMLRPCValue): string => {
   if (Array.isArray(value)) {
     type = 'array';
     value = data(value);
-  } else if (Number.isInteger(value)) type = 'i4';
-  else if (typeof value === 'number') type = 'double';
-  else if (typeof value === 'string') type = 'string';
-  else if (typeof value === 'boolean') {
+  } else if (Number.isInteger(value)) {
+    type = 'i4';
+  } else if (typeof value === 'number') {
+    type = 'double';
+  } else if (typeof value === 'string') {
+    type = 'string';
+    value = value
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&apos;');
+  } else if (typeof value === 'boolean') {
     type = 'boolean';
     value = value ? '1' : '0';
   } else if (value instanceof Date) {