From 9b415c73c904a4546487e8d137ac09b99ff7dc2e Mon Sep 17 00:00:00 2001
From: Bartosz Szatkowski <bulislaw@linux.com>
Date: Thu, 21 Jul 2011 15:55:07 +0200
Subject: [PATCH] obexd: Fix proper data escaping for vCard listing

Up until now it was possible to inject some XML or just broke returned
vCard listing by preparing contact with some special characters.
---
 obexd/plugins/pbap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/obexd/plugins/pbap.c b/obexd/plugins/pbap.c
index 5455cceb3..82963af4b 100644
--- a/obexd/plugins/pbap.c
+++ b/obexd/plugins/pbap.c
@@ -469,9 +469,12 @@ static int generate_response(void *user_data)
 	pbap->obj->buffer = g_string_new(VCARD_LISTING_BEGIN);
 	for (; l && max; l = l->next, max--) {
 		const struct cache_entry *entry = l->data;
+		char *escaped_name = g_markup_escape_text(entry->name, -1);
 
 		g_string_append_printf(pbap->obj->buffer,
-			VCARD_LISTING_ELEMENT, entry->handle, entry->name);
+			VCARD_LISTING_ELEMENT, entry->handle, escaped_name);
+
+		g_free(escaped_name);
 	}
 
 	pbap->obj->buffer = g_string_append(pbap->obj->buffer,
-- 
2.47.3