From fc44bb03c5a7ed574efe782395fcbdaa8612a339 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Thu, 16 May 2013 17:40:04 -0400
Subject: [PATCH] CRM-12647 - CRM_Utils_Migrate_Export - Use htmlentities

----------------------------------------
* CRM-12647: Customization export/import crashes on "&"
  http://issues.civicrm.org/jira/browse/CRM-12647
---
 CRM/Utils/Migrate/Export.php | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/CRM/Utils/Migrate/Export.php b/CRM/Utils/Migrate/Export.php
index 92f1ed78ea..83b472c3dd 100644
--- a/CRM/Utils/Migrate/Export.php
+++ b/CRM/Utils/Migrate/Export.php
@@ -354,7 +354,7 @@ AND    entity_id    IS NULL
           else {
             $label = $this->_xml[$mappedField[0]]['map'][$dao->{$mappedField[1]}];
           }
-          $additional .= "\n      <{$mappedField[2]}>{$label}</{$mappedField[2]}>";
+          $additional .= "\n      " . $this->renderTextTag($mappedField[2], $label);
         }
       }
       return $additional;
@@ -397,7 +397,7 @@ AND    entity_id    IS NULL
             elseif ($object->extends == 'Relationship') {
               $key = 'relationship_type';
             }
-            $xml .= "\n      <extends_entity_column_value_option_group>$key</extends_entity_column_value_option_group>";
+            $xml .= "\n      " . $this->renderTextTag('extends_entity_column_value_option_group', $key);
             $types = explode(CRM_Core_DAO::VALUE_SEPARATOR,
               substr($object->$name, 1, -1)
             );
@@ -406,7 +406,7 @@ AND    entity_id    IS NULL
               $values[] = $this->_xml['optionValue']['map']["$key.{$type}"];
             }
             $value = implode(',', $values);
-            $xml .= "\n      <extends_entity_column_value_option_value>$value</extends_entity_column_value_option_value>";
+            $xml .= "\n      " . $this->renderTextTag('extends_entity_column_value_option_value', $value);
           }
           else {
             echo "This extension: {$object->extends} is not yet handled";
@@ -421,14 +421,14 @@ AND    entity_id    IS NULL
             list($tableName, $columnName, $groupID) = CRM_Core_BAO_CustomField::getTableColumnGroup($cfID);
             $value = "custom.{$tableName}.{$columnName}";
           }
-          $xml .= "\n      <$name>$value</$name>";
+          $xml .= "\n      " . $this->renderTextTag($name, $value);
         }
         else {
           $value = str_replace(CRM_Core_DAO::VALUE_SEPARATOR,
             self::XML_VALUE_SEPARATOR,
             $object->$name
           );
-          $xml .= "\n      <$name>$value</$name>";
+          $xml .= "\n      " . $this->renderTextTag($name, $value);
         }
       }
     }
@@ -438,5 +438,18 @@ AND    entity_id    IS NULL
     $xml .= "\n    </$objectName>\n";
     return $xml;
   }
+
+  /**
+   * @param string $name tag name
+   * @param string $value text
+   * @param string $prefix
+   * @return string XML
+   */
+  function renderTextTag($name, $value, $prefix ='') {
+    if (!preg_match('/^[a-zA-Z0-9\_]+$/', $name)) {
+      throw new Exception("Malformed tag name: $name");
+    }
+    return $prefix . "<$name>" . htmlentities($value) . "</$name>";
+  }
 }
 
-- 
2.25.1