From eb1f2fe19d6307e1b5fe802a01d8c2142aad85e5 Mon Sep 17 00:00:00 2001
From: Zlatin Balevsky <zlatinb@gmail.com>
Date: Thu, 18 Jun 2020 21:23:51 +0100
Subject: [PATCH] escape download file name

---
 webui/src/main/java/com/muwire/webui/DownloadServlet.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webui/src/main/java/com/muwire/webui/DownloadServlet.java b/webui/src/main/java/com/muwire/webui/DownloadServlet.java
index 9b93c79a..cd0484fa 100644
--- a/webui/src/main/java/com/muwire/webui/DownloadServlet.java
+++ b/webui/src/main/java/com/muwire/webui/DownloadServlet.java
@@ -213,7 +213,7 @@ public class DownloadServlet extends HttpServlet {
         void toXML(StringBuilder sb) {
             sb.append("<Download>");
             sb.append("<InfoHash>").append(Base64.encode(infoHash.getRoot())).append("</InfoHash>");
-            sb.append("<Name>").append(name).append("</Name>");
+            sb.append("<Name>").append(Util.escapeHTMLinXML(name)).append("</Name>");
             sb.append("<State>").append(state.toString()).append("</State>");
             sb.append("<Speed>").append(DataHelper.formatSize2Decimal(speed, false)).append("B/sec").append("</Speed>");
             String ETAString;