Missing XML escaping in GPX export

[wetneb]

If a location contains the & character in its description, such as lots of apples & pears, this will translate to the following GPX waypoint:

<wpt lat="1.2345" lon="6.789">
   <name>Lovely place</name>
   <desc>lots of apples & pears</desc>
   <type>places</type>
</wpt>

This is invalid XML since the & character should be escaped: we should have <desc>lots of apples &amp; pears</desc> instead.

This is caused by the jstoxml package used for the export, which does not handle escaping by default (?!). Apparently you can pass a configuration object to specify characters to replace but that's cumbersome. It should escape things by default, as this is a classic vulnerability.

For me that's a red flag - another package should be used instead. I have opened an issue on their side: davidcalhoun/jstoxml#41

[nicksellen]

Thanks! Yes, I remember being not so content with any of the XML libraries I encountered. Some of the more complete ones were very large, whereas we have very minimal requirements.

One alternative could be to just create the XML as a string... escaping the string content manually. Maybe it's just about 4 lines of code :)

[wetneb]

Wow, that was quick!

[nicksellen]

It looks like it will get fixed soon in davidcalhoun/jstoxml#41, but the test I added should break on the upgrade to let us know we can remove my escaping code :)