From fd461fe015608ddf00710bb05ef2aaa3799fa3c7 Mon Sep 17 00:00:00 2001
From: Marvin Dickhaus <2642714+Weishaupt@users.noreply.github.com>
Date: Thu, 16 May 2024 22:44:47 +0200
Subject: [PATCH] Fix missing XML Escaping in Password String

Fixes #5060
---
 dnsapi/dns_inwx.sh | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/dnsapi/dns_inwx.sh b/dnsapi/dns_inwx.sh
index e483c0e854..2f2082d614 100755
--- a/dnsapi/dns_inwx.sh
+++ b/dnsapi/dns_inwx.sh
@@ -160,6 +160,15 @@ _inwx_check_cookie() {
   return 1
 }
 
+_htmlEscape() {
+  local s
+  s=${1//&/&amp;}
+  s=${s//</&lt;}
+  s=${s//>/&gt;}
+  s=${s//'"'/&quot;}
+  printf -- %s "$s"
+}
+
 _inwx_login() {
 
   if _inwx_check_cookie; then
@@ -167,6 +176,8 @@ _inwx_login() {
     return 0
   fi
 
+  XML_PASS=$(_htmlEscape "$INWX_Password")
+
   xml_content=$(printf '<?xml version="1.0" encoding="UTF-8"?>
   <methodCall>
   <methodName>account.login</methodName>
@@ -190,7 +201,7 @@ _inwx_login() {
     </value>
    </param>
   </params>
-  </methodCall>' "$INWX_User" "$INWX_Password")
+  </methodCall>' "$INWX_User" "$XML_PASS")
 
   response="$(_post "$xml_content" "$INWX_Api" "" "POST")"