xml escaping, fixes #207

1 files changed, 6 insertions, 5 deletions

diff --git a/js/row.js b/js/row.js
index ac1c94b..a9abf86 100644
--- a/js/row.js
+++ b/js/row.js
@@ -143,7 +143,8 @@ SQL.Row.prototype.buildEdit = function() {
 	elms.push(["null",this.dom.nll]);
 	
 	this.dom.comment = OZ.DOM.elm("span",{className:"comment"});
-	this.dom.comment.innerHTML = this.data.comment;
+	this.dom.comment.innerHTML = "";
+	this.dom.comment.appendChild(document.createTextNode(this.data.comment));
 
 	this.dom.commentbtn = OZ.DOM.elm("input");
 	this.dom.commentbtn.type = "button";
@@ -180,7 +181,8 @@ SQL.Row.prototype.changeComment = function(e) {
 	var c = prompt(_("commenttext"),this.data.comment);
 	if (c === null) { return; }
 	this.data.comment = c;
-	this.dom.comment.innerHTML = this.data.comment;
+	this.dom.comment.innerHTML = "";
+	this.dom.comment.appendChild(document.createTextNode(this.data.comment));
 }
 
 SQL.Row.prototype.expand = function() {
@@ -336,7 +338,7 @@ SQL.Row.prototype.toXML = function() {
 		} else if (d != "CURRENT_TIMESTAMP") { 
 			d = q+d+q; 
 		}
-		xml += "<default>"+d+"</default>";
+		xml += "<default>"+SQL.escape(d)+"</default>";
 	}
 
 	for (var i=0;i<this.relations.length;i++) {
@@ -346,8 +348,7 @@ SQL.Row.prototype.toXML = function() {
 	}
 	
 	if (this.data.comment) { 
-		var escaped = this.data.comment.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;");
-		xml += "<comment>"+escaped+"</comment>\n"; 
+		xml += "<comment>"+SQL.escape(this.data.comment)+"</comment>\n"; 
 	}
 	
 	xml += "</row>\n";