From 80d0423026b0bc14c8da820fff7905ba9c0a5d0e Mon Sep 17 00:00:00 2001
From: Federico Marani <federico.marani@ymail.com>
Date: Sat, 7 Mar 2009 13:47:46 +0000
Subject: [PATCH] html escape of atom attributes (ticket 1266)

---
 lib/jabber.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/jabber.php b/lib/jabber.php
index f41d984d62..4a96fb54e6 100644
--- a/lib/jabber.php
+++ b/lib/jabber.php
@@ -176,14 +176,14 @@ function jabber_format_entry($profile, $notice)
     $entry .= "<source>\n";
     $entry .= "<title>" . $profile->nickname . " - " . common_config('site', 'name') . "</title>\n";
     $entry .= "<link href='" . htmlspecialchars($profile->profileurl) . "'/>\n";
-    $entry .= "<link rel='self' type='application/rss+xml' href='" . $self_url . "'/>\n";
+    $entry .= "<link rel='self' type='application/rss+xml' href='" . htmlspecialchars($self_url) . "'/>\n";
     $entry .= "<author><name>" . $profile->nickname . "</name></author>\n";
     $entry .= "<icon>" . $profile->avatarUrl(AVATAR_PROFILE_SIZE) . "</icon>\n";
     $entry .= "</source>\n";
     $entry .= "<title>" . htmlspecialchars($msg) . "</title>\n";
     $entry .= "<summary>" . htmlspecialchars($msg) . "</summary>\n";
-    $entry .= "<link rel='alternate' href='" . $noticeurl . "' />\n";
-    $entry .= "<id>". $notice->uri . "</id>\n";
+    $entry .= "<link rel='alternate' href='" . htmlspecialchars($noticeurl) . "' />\n";
+    $entry .= "<id>". htmlspecialchars($notice->uri) . "</id>\n";
     $entry .= "<published>".common_date_w3dtf($notice->created)."</published>\n";
     $entry .= "<updated>".common_date_w3dtf($notice->modified)."</updated>\n";
     $entry .= "</entry>\n";
-- 
2.39.5