sanitzie XML characters

__tests__/auth.test.ts

@@ -82,4 +82,22 @@ describe('auth tests', () => {
     expect(fs.existsSync(m2Dir)).toBe(false);
     expect(fs.existsSync(settingsFile)).toBe(false);
   }, 100000);
+
+  it('escapes invalid XML inputs', () => {
+    const id = 'packages';
+    const username = 'bluebottle';
+    const password = '&<>"\'\'"><&';
+
+    expect(auth.generate(id, username, password)).toEqual(`
+  <settings>
+      <servers>
+        <server>
+          <id>${id}</id>
+          <username>${username}</username>
+          <password>&amp;&lt;&gt;&quot;&apos;&apos;&quot;&gt;&lt;&amp;</password>
+        </server>
+      </servers>
+  </settings>
+  `);
+  });
 });

src/auth.ts

@@ -27,15 +27,24 @@ export async function configAuthentication(
   }
 }
 
+function escapeXML(value: string) {
+  return value
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
 // only exported for testing purposes
 export function generate(id: string, username: string, password: string) {
   return `
   <settings>
       <servers>
         <server>
-          <id>${id}</id>
-          <username>${username}</username>
-          <password>${password}</password>
+          <id>${escapeXML(id)}</id>
+          <username>${escapeXML(username)}</username>
+          <password>${escapeXML(password)}</password>
         </server>
       </servers>
   </settings>