From 490384297f2b690e25d7badcec1e28518f8403d8 Mon Sep 17 00:00:00 2001 From: TheCakeIsNaOH Date: Wed, 29 Sep 2021 11:17:49 -0500 Subject: [PATCH] (#27) Escape PackageProperties elements On .Net fx, the PackageProperties elements have xml special chars escaped. On Mono, they do not get escaped. mono/mono#21227 In the process of reading the nuspec metadata, escaped chars like "<" get converted back into what they represent, for example "<". This is not an issue on Windows, but is it an issue on Mono. This manually escapes xml special chars from the PackageProperties strings. The id and version are not escaped, as they cannot contain xml special chars in the first place. --- src/Core/Authoring/PackageBuilder.cs | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/Core/Authoring/PackageBuilder.cs b/src/Core/Authoring/PackageBuilder.cs index d575cdce..28ae0f63 100644 --- a/src/Core/Authoring/PackageBuilder.cs +++ b/src/Core/Authoring/PackageBuilder.cs @@ -6,6 +6,7 @@ using System.IO; using System.IO.Packaging; using System.Linq; +using System.Security; using NuGet.Resources; namespace NuGet @@ -302,14 +303,14 @@ public void Save(Stream stream) WriteFiles(package); // Copy the metadata properties back to the package - package.PackageProperties.Creator = String.Join(",", Authors); - package.PackageProperties.Description = Description; + package.PackageProperties.Creator = SecurityElement.Escape(String.Join(",", Authors)); + package.PackageProperties.Description = SecurityElement.Escape(Description); package.PackageProperties.Identifier = Id; package.PackageProperties.Version = Version.ToString(); - package.PackageProperties.Language = Language; - package.PackageProperties.Keywords = ((IPackageMetadata)this).Tags; - package.PackageProperties.Title = Title; - package.PackageProperties.LastModifiedBy = CreatorInfo(); + package.PackageProperties.Language = SecurityElement.Escape(Language); + package.PackageProperties.Keywords = SecurityElement.Escape(((IPackageMetadata)this).Tags); + package.PackageProperties.Title = SecurityElement.Escape(Title); + package.PackageProperties.LastModifiedBy = SecurityElement.Escape(CreatorInfo()); } }