diff --git a/badge.js b/badge.js
index 7b5f960..4b59036 100644
--- a/badge.js
+++ b/badge.js
@@ -27,6 +27,17 @@ templateFiles.forEach(function(filename) {
templates[style + '-' + extension] = dot.template(templateData);
});
+function escapeXml(s) {
+ return s.replace(/&/g, '&')
+ .replace(//g, '>')
+ .replace(/"/g, '"')
+ .replace(/'/g, ''');
+}
+function addEscapers(data) {
+ data.escapeXml = escapeXml;
+}
+
var colorscheme = require(path.join(__dirname, 'colorscheme.json'));
function optimize(string, callback) {
@@ -50,7 +61,10 @@ function makeImage(data, cb) {
(canvasContext.measureText(data.text[0]).width|0) + 10,
(canvasContext.measureText(data.text[1]).width|0) + 10,
];
+
+ addEscapers(data);
var result = template(data);
+
if (data.format === 'json') {
cb(result);
} else {
diff --git a/templates/default-template.svg b/templates/default-template.svg
index 88e7c6a..a1c78f1 100644
--- a/templates/default-template.svg
+++ b/templates/default-template.svg
@@ -10,9 +10,9 @@
- {{=it.text[0]}}
- {{=it.text[0]}}
- {{=it.text[1]}}
- {{=it.text[1]}}
+ {{=it.escapeXml(it.text[0])}}
+ {{=it.escapeXml(it.text[0])}}
+ {{=it.escapeXml(it.text[1])}}
+ {{=it.escapeXml(it.text[1])}}
diff --git a/templates/flat-square-template.svg b/templates/flat-square-template.svg
index c6761ba..eb46ea5 100644
--- a/templates/flat-square-template.svg
+++ b/templates/flat-square-template.svg
@@ -4,7 +4,7 @@
- {{=it.text[0]}}
- {{=it.text[1]}}
+ {{=it.escapeXml(it.text[0])}}
+ {{=it.escapeXml(it.text[1])}}
diff --git a/templates/flat-template.svg b/templates/flat-template.svg
index 3e4ba76..75ce224 100644
--- a/templates/flat-template.svg
+++ b/templates/flat-template.svg
@@ -8,9 +8,9 @@
- {{=it.text[0]}}
- {{=it.text[0]}}
- {{=it.text[1]}}
- {{=it.text[1]}}
+ {{=it.escapeXml(it.text[0])}}
+ {{=it.escapeXml(it.text[0])}}
+ {{=it.escapeXml(it.text[1])}}
+ {{=it.escapeXml(it.text[1])}}