From e56690259a6a72549c44533a74fabb8ee9e4bc3b Mon Sep 17 00:00:00 2001
From: ymlam <ymlam@Bach.localdomain>
Date: Sat, 18 May 2019 03:16:31 -0400
Subject: [PATCH] Update

---
 src/altk/comm/engine/Broadcast.java |  5 +++--
 src/altk/comm/engine/Util.java      | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/altk/comm/engine/Broadcast.java b/src/altk/comm/engine/Broadcast.java
index bfa28f6..deaa349 100644
--- a/src/altk/comm/engine/Broadcast.java
+++ b/src/altk/comm/engine/Broadcast.java
@@ -807,12 +807,13 @@ public abstract class Broadcast
 		{
 			if (haltReason != null)
 			{
-				statusBf.append("<reason>" + haltReason
+				// Escaping '&' and '<' in haltReason before enclosing it in <reason> tag
+				statusBf.append("<reason>" + Util.xmlEscape(haltReason)
 				        + "</reason>\r\n");
 			}
 			if (stateErrorText != null)
 			{
-				statusBf.append("<error_text>" + stateErrorText
+				statusBf.append("<error_text>" + Util.xmlEscape(stateErrorText)
 				        + "</error_text>");
 			}
 		}
diff --git a/src/altk/comm/engine/Util.java b/src/altk/comm/engine/Util.java
index cec41a6..314c918 100644
--- a/src/altk/comm/engine/Util.java
+++ b/src/altk/comm/engine/Util.java
@@ -4,6 +4,17 @@ import java.util.Properties;
 
 public class Util
 {
+	/**
+	 * Escape xml sensitive characters '<' and '&' in argument str with appropriate "&xxx;".
+	 * @param str
+	 * @return str with '<' and '&' escaped so it is appropriate to be embeeded as
+	 *             text in an xml/html tag.
+	 */
+	static public String xmlEscape(String str)
+	{
+		return str.replace("&", "&amp;").replace("<", "&lt;");
+	}
+	
     static public String getStringParameter(String name, Properties config)
     {
         return getStringParameter(name, config, null);