Fix missing XML Escaping in Password String

Fixes acmesh-official#5060
Weishaupt · May 16, 2024 · fd461fe · fd461fe
1 parent 0d8a314
commit fd461fe
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh
@@ -160,13 +160,24 @@ _inwx_check_cookie() {
  return 1
 }
 
+_htmlEscape() {
+ local s
+ s=${1//&/&amp;}
+ s=${s//</&lt;}
+ s=${s//>/&gt;}
+ s=${s//'"'/&quot;}
+ printf -- %s "$s"
+}
+
 _inwx_login() {
 
  if _inwx_check_cookie; then
  _debug "Already logged in"
  return 0
  fi
 
+ XML_PASS=$(_htmlEscape "$INWX_Password")
+
  xml_content=$(printf '<?xml version="1.0" encoding="UTF-8"?>
  <methodCall>
  <methodName>account.login</methodName>
@@ -190,7 +201,7 @@ _inwx_login() {
  </value>
  </param>
  </params>
- </methodCall>' "$INWX_User" "$INWX_Password")
+ </methodCall>' "$INWX_User" "$XML_PASS")
 
  response="$(_post "$xml_content" "$INWX_Api" "" "POST")"