From a042ff1e06be43f84d88dc4c2e190fa7c225a622 Mon Sep 17 00:00:00 2001
From: Sam Harwell <sam.harwell@rackspace.com>
Date: Fri, 23 Aug 2013 08:43:02 -0500
Subject: [PATCH] Make sure to escape parameter values since they are pass as
 XML attributes

---
 .../rackspace/cloud/api/docs/CalabashHelper.java | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/rackspace/cloud/api/docs/CalabashHelper.java b/src/main/java/com/rackspace/cloud/api/docs/CalabashHelper.java
index b3b9e9e..45af990 100644
--- a/src/main/java/com/rackspace/cloud/api/docs/CalabashHelper.java
+++ b/src/main/java/com/rackspace/cloud/api/docs/CalabashHelper.java
@@ -51,9 +51,9 @@ public class CalabashHelper {
 
                 strBuff
                     .append("<c:param name=\"")
-                    .append(entry.getKey())
+                    .append(escapeXmlAttribute(entry.getKey()))
                     .append("\" namespace=\"\" value=\"")
-                    .append(rawValue)
+                    .append(escapeXmlAttribute(rawValue))
                     .append("\"/>");
             }
         }
@@ -74,6 +74,18 @@ public class CalabashHelper {
         return sources.get(0);
     }
 
+    private static String escapeXmlAttribute(String value) {
+        if (value == null) {
+            return "";
+        }
+
+        return value
+            .replace("&", "&amp;")
+            .replace("\"", "&quot;")
+            .replace("'", "&apos;")
+            .replace("%", "&#37;");
+    }
+
     /**
      * Creates a {@link Source} for use in a Calabash pipeline.
      *