From 6aee354fa005fec3fa02a7596e87fef27b78dac1 Mon Sep 17 00:00:00 2001
From: Jan Szejko <janek37@gmail.com>
Date: Wed, 5 Jul 2017 16:24:58 +0200
Subject: [PATCH] escape document parameters in xml

---
 apps/catalogue/views.py | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index 1f3130a0..64967420 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -8,6 +8,7 @@ import os
 import shutil
 import subprocess
 from tempfile import NamedTemporaryFile
+from xml.sax.saxutils import escape as escape_xml
 
 from django.conf import settings
 from django.contrib import auth
@@ -115,17 +116,24 @@ def create_missing(request):
             else:
                 cover_url = ''
 
-            doc.commit(
-                text='''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+            text = '''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
                 <metadata>
-                    <dc:publisher>''' + form.cleaned_data['publisher'] + '''</dc:publisher>
-                    <dc:description>''' + form.cleaned_data['description'] + '''</dc:description>
-                    ''' + '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms) + '''
-                    <dc:relation.coverImage.url>''' + cover_url + '''</dc:relation.coverImage.url>
+                    <dc:publisher>%s</dc:publisher>
+                    <dc:description>%s</dc:description>
+                    %s
+                    <dc:relation.coverImage.url>%s</dc:relation.coverImage.url>
                 </metadata>
-                <header>''' + title + '''</header>
+                <header>%s</header>
                 <div class="p"> </div>
-                </section>''',
+                </section>''' % (
+                    escape_xml(form.cleaned_data['publisher']),
+                    escape_xml(form.cleaned_data['description']),
+                    '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms),
+                    escape_xml(cover_url),
+                    escape_xml(title))
+
+            doc.commit(
+                text=text,
                 author=creator
             )
             doc.assigned_to = request.user
-- 
2.20.1