diff --git a/src/engine/blocks.js b/src/engine/blocks.js index ba9aac5bb..b3d87e49f 100644 --- a/src/engine/blocks.js +++ b/src/engine/blocks.js @@ -1,4 +1,5 @@ var adapter = require('./adapter'); +var xmlEscape = require('../util/xml-escape'); /** * @fileoverview @@ -369,8 +370,12 @@ Blocks.prototype.blockToXML = function (blockId) { // Add any fields on this block. for (var field in block.fields) { var blockField = block.fields[field]; + var value = blockField.value; + if (typeof value === 'string') { + value = xmlEscape(blockField.value); + } xmlString += '' + - blockField.value + ''; + value + ''; } // Add blocks connected to the next connection. if (block.next) { diff --git a/src/util/xml-escape.js b/src/util/xml-escape.js new file mode 100644 index 000000000..00ce5bff6 --- /dev/null +++ b/src/util/xml-escape.js @@ -0,0 +1,21 @@ +/** + * Escape a string to be safe to use in XML content. + * CC-BY-SA: hgoebl + * https://stackoverflow.com/questions/7918868/ + * how-to-escape-xml-entities-in-javascript + * @param {!string} unsafe Unsafe string. + * @return {string} XML-escaped string, for use within an XML tag. + */ +var xmlEscape = function (unsafe) { + return unsafe.replace(/[<>&'"]/g, function (c) { + switch (c) { + case '<': return '<'; + case '>': return '>'; + case '&': return '&'; + case '\'': return '''; + case '"': return '"'; + } + }); +}; + +module.exports = xmlEscape;