Check user input in XML responses.

Fixes bug 1183884. * swift/account/server.py: Escape account name in XML listings. Change-Id: I33f25aa02c96a72cb54c9d7ebd916d06a8a69edf
2013-05-27 02:07:39 +00:00 · 2013-05-27 02:07:39 +00:00 · 4eed6bf5b5
parent 0ce3e1d647
commit 4eed6bf5b5
1 changed files with 1 additions and 1 deletions
--- a/swift/account/server.py
+++ b/swift/account/server.py
@ -275,7 +275,7 @@ class AccountController(object):
            account_list = json.dumps(data)
        elif out_content_type.endswith('/xml'):
            output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                           '<account name="%s">' % account]
+                           '<account name="%s">' % saxutils.escape(account)]
            for (name, object_count, bytes_used, is_subdir) in account_list:
                name = saxutils.escape(name)
                if is_subdir: