Backport a fix from master to fix XML generation

0001-Never-include-in-attribute-values.patch

@@ -0,0 +1,61 @@
+From 6048520484101df5d33f3c852c10640e630d20cf Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 30 Jan 2018 23:03:59 +0000
+Subject: [PATCH] Never include '&' in attribute values
+
+Fixes: https://github.com/hughsie/lvfs-website/issues/33
+---
+ libappstream-glib/as-node.c      | 7 ++++++-
+ libappstream-glib/as-self-test.c | 6 +++---
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/libappstream-glib/as-node.c b/libappstream-glib/as-node.c
+index f8199a9..945c465 100644
+--- a/libappstream-glib/as-node.c
++++ b/libappstream-glib/as-node.c
+@@ -327,12 +327,17 @@ as_node_get_attr_string (AsNodeData *data)
+ 
+ 	str = g_string_new ("");
+ 	for (l = data->attrs; l != NULL; l = l->next) {
++		g_autoptr(GString) value_safe = NULL;
+ 		attr = l->data;
+ 		if (g_strcmp0 (attr->key, "@comment") == 0 ||
+ 		    g_strcmp0 (attr->key, "@comment-tmp") == 0)
+ 			continue;
++		value_safe = g_string_new (attr->value);
++		as_utils_string_replace (value_safe, "&", "&amp;");
++		as_utils_string_replace (value_safe, "<", "&lt;");
++		as_utils_string_replace (value_safe, ">", "&gt;");
+ 		g_string_append_printf (str, " %s=\"%s\"",
+-					attr->key, attr->value);
++					attr->key, value_safe->str);
+ 	}
+ 	return g_string_free (str, FALSE);
+ }
+diff --git a/libappstream-glib/as-self-test.c b/libappstream-glib/as-self-test.c
+index 9800c03..fb4ccf8 100644
+--- a/libappstream-glib/as-self-test.c
++++ b/libappstream-glib/as-self-test.c
+@@ -1047,7 +1047,7 @@ as_test_checksum_func (void)
+ 	AsNode *n;
+ 	AsNode *root;
+ 	GString *xml;
+-	const gchar *src = "<checksum type=\"sha1\" filename=\"fn.cab\" target=\"container\">12345</checksum>";
++	const gchar *src = "<checksum type=\"sha1\" filename=\"f&amp;n.cab\" target=\"container\">12&amp;45</checksum>";
+ 	gboolean ret;
+ 	g_autoptr(AsNodeContext) ctx = NULL;
+ 	g_autoptr(AsChecksum) csum = NULL;
+@@ -1077,8 +1077,8 @@ as_test_checksum_func (void)
+ 	/* verify */
+ 	g_assert_cmpint (as_checksum_get_kind (csum), ==, G_CHECKSUM_SHA1);
+ 	g_assert_cmpint (as_checksum_get_target (csum), ==, AS_CHECKSUM_TARGET_CONTAINER);
+-	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "fn.cab");
+-	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12345");
++	g_assert_cmpstr (as_checksum_get_filename (csum), ==, "f&n.cab");
++	g_assert_cmpstr (as_checksum_get_value (csum), ==, "12&45");
+ 
+ 	/* back to node */
+ 	root = as_node_new ();
+-- 
+2.14.3
+

libappstream-glib.spec

@@ -6,7 +6,7 @@
 Summary:   Library for AppStream metadata
 Name:      libappstream-glib
 Version:   0.7.5
-Release:   2%{?dist}
+Release:   3%{?dist}
 License:   LGPLv2+
 URL:       http://people.freedesktop.org/~hughsient/appstream-glib/
 Source0:   http://people.freedesktop.org/~hughsient/appstream-glib/releases/appstream-glib-%{version}.tar.xz
@@ -14,6 +14,7 @@ Source0:   http://people.freedesktop.org/~hughsient/appstream-glib/releases/apps
 # from upstream git master
 Patch0:    0001-as-app-desktop-don-t-deference-invalid-lists.patch
 Patch1:    0002-Fix-an-invalid-read-when-using-as_app_parse_data-fro.patch
+Patch2:    0001-Never-include-in-attribute-values.patch
 
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: docbook-utils
@@ -89,6 +90,7 @@ GLib headers and libraries for appstream-builder.
 %setup -q -n appstream-glib-%{version}
 %patch0 -p1 -b .crash1
 %patch1 -p1 -b .crash2
+%patch2 -p1 -b .invalid-xml
 
 %build
 %meson \
@@ -154,6 +156,9 @@ GLib headers and libraries for appstream-builder.
 %{_datadir}/gir-1.0/AppStreamBuilder-1.0.gir
 
 %changelog
+* Tue Jan 30 2018 Richard Hughes <richard@hughsie.com> 0.7.5-3
+- Backport a fix from master to fix XML generation.
+
 * Wed Jan 24 2018 Richard Hughes <richard@hughsie.com> 0.7.5-2
 - Backport two crash fixes from master.