From de1f6319ec48f11547b6377620a89146f11dbdf7 Mon Sep 17 00:00:00 2001
From: Stig Bakken <ssb@php.net>
Date: Sat, 6 Apr 2002 00:58:22 +0000
Subject: [PATCH] * forgot htmlspecialchars in release notes

---
 pear/PEAR/Common.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pear/PEAR/Common.php b/pear/PEAR/Common.php
index 320cc528e4..5ff230c4b2 100644
--- a/pear/PEAR/Common.php
+++ b/pear/PEAR/Common.php
@@ -716,6 +716,7 @@ class PEAR_Common extends PEAR
      */
     function _makeReleaseXml($pkginfo, $changelog = false)
     {
+        // XXX QUOTE ENTITIES IN PCDATA, OR EMBED IN CDATA BLOCKS!!
         $indent = $changelog ? "  " : "";
         $ret = "$indent  <release>\n";
         if (!empty($pkginfo['version'])) {
@@ -731,7 +732,7 @@ class PEAR_Common extends PEAR
             $ret .= "$indent    <state>$pkginfo[release_state]</state>\n";
         }
         if (!empty($pkginfo['release_notes'])) {
-            $ret .= "$indent    <notes>$pkginfo[release_notes]</notes>\n";
+            $ret .= "$indent    <notes>".htmlspecialchars($pkginfo['release_notes'])."</notes>\n";
         }
         if (isset($pkginfo['release_deps']) && sizeof($pkginfo['release_deps']) > 0) {
             $ret .= "$indent    <deps>\n";
-- 
2.50.1