From fb7ac49253d40260f01fdd084ee9340304fd0f04 Mon Sep 17 00:00:00 2001
From: Simon Vermeersch <simonvermeersch@gmail.com>
Date: Tue, 14 Oct 2014 18:27:58 +0200
Subject: [PATCH] Escape <, > and & when MXP is enabled.

---
 src/server/portal/mxp.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/server/portal/mxp.py b/src/server/portal/mxp.py
index 94eb3ac7f0..05d9958a05 100644
--- a/src/server/portal/mxp.py
+++ b/src/server/portal/mxp.py
@@ -28,6 +28,10 @@ def mxp_parse(text):
     """
     Replaces links to the correct format for MXP.
     """
+    text = text.replace("&", "&amp;") \
+               .replace("<", "&lt;") \
+               .replace(">", "&gt;")
+
     text = LINKS_SUB.sub(MXP_SEND, text)
     return text