Don't forget to escape XML in attributes. Thanks to the Postgres Q&A room on...

diff --git a/util/stanza.lua b/util/stanza.lua
index 5a6ba8c5305c7ce00f2e5bf70ab30c8cf9db64c1..36e07317e866d7ba55c967765adc1dbb33a262c6 100644 (file)
--- a/util/stanza.lua
+++ b/util/stanza.lua
@@ -103,7 +103,7 @@ function stanza_mt.__tostring(t)
 
        local attr_string = "";
        if t.attr then
-               for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, tostring(v)); end end
+               for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, xml_escape(tostring(v))); end end
        end
        return s_format("<%s%s>%s</%s>", t.name, attr_string, children_text, t.name);
 end
@@ -111,7 +111,7 @@ end
 function stanza_mt.top_tag(t)
        local attr_string = "";
        if t.attr then
-               for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, tostring(v)); end end
+               for k, v in pairs(t.attr) do if type(k) == "string" then attr_string = attr_string .. s_format(" %s='%s'", k, xml_escape(tostring(v))); end end
        end
        return s_format("<%s%s>", t.name, attr_string);
 end