Sanitize attributes as well as values

Author: adamplumb

XMLSerializer.php

@@ -137,7 +137,9 @@ private static function tag_open($key, $depth = 0, $attributes = null, $self_clo
         echo $key;
         if ($attributes) {
             foreach ($attributes as $attribute_key => $attribute_value) {
-                echo " {$attribute_key}=\"{$attribute_value}\"";
+                echo " {$attribute_key}=\"";
+                self::sanitized_scalar($attribute_value);
+                echo "\"";
             }
         }
         if ($self_closing) {
@@ -149,13 +151,17 @@ private static function tag_open($key, $depth = 0, $attributes = null, $self_clo
 
     private static function tag_value($value, $depth) {
         if (self::is_scalar($value)) {
-            echo $value;
+            self::sanitized_scalar($value);
         } else if (is_array($value)) {
             echo self::NEWLINE;
             self::_to_xml($value, $depth);
         }
     }
 
+    private static function sanitized_scalar($value) {
+        echo str_replace(array('&', "'", '"'), array('&', ''', '"'), $value);
+    }
+
     private static function tag_close($key, $depth) {
         if ($depth > 0) {
             self::indent($depth);