From 6659382c4fa348e1ebbce2424968dd7267ea1db1 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 27 May 2013 02:07:39 +0000
Subject: [PATCH] Check user input in XML responses.

Fixes bug 1183884.

* swift/account/server.py: Escape account name in XML listings.

Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37
---
 swift/account/server.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: swift/swift/account/server.py
===================================================================
--- swift.orig/swift/account/server.py	2013-07-12 13:51:47.000000000 +0800
+++ swift/swift/account/server.py	2013-07-12 13:56:46.000000000 +0800
@@ -238,7 +238,7 @@
             account_list = '[' + ','.join(json_out) + ']'
         elif out_content_type.endswith('/xml'):
             output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
-                           '<account name="%s">' % account]
+                           '<account name="%s">' % saxutils.escape(account)]
             for (name, object_count, bytes_used, is_subdir) in account_list:
                 name = saxutils.escape(name)
                 if is_subdir: