Improve escaping

ProfessionalWiki · Nov 20, 2018 · afd8e17 · afd8e17
1 parent 3a6c277
commit afd8e17
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/Presentation/KmlFormatter.php b/src/Presentation/KmlFormatter.php
@@ -47,7 +47,9 @@ private function locationToKmlPlacemark( Location $location ): string {
 		// TODO: escaping?
 		$description = '<description><![CDATA[ ' . $location->getText() . ']]></description>';
 
-		$coordinates = '<coordinates>' . htmlspecialchars( $this->getCoordinateString( $location ) ) . '</coordinates>';
+		$coordinates = '<coordinates>'
+			. $this->escapeValue( $this->getCoordinateString( $location ) )
+			. '</coordinates>';
 
 		return <<<EOT
 		<Placemark>
@@ -68,4 +70,8 @@ private function getCoordinateString( Location $location ): string {
 			. ',0';
 	}
 
+	private function escapeValue( string $value ): string {
+		return htmlspecialchars( $value, ENT_NOQUOTES );
+	}
+
 }