JCR-3630: XSS in DirListingExportHandler (patch provided by lars krap…

…f) (ported to 2.0)

git-svn-id: https://svn.apache.org/repos/asf/jackrabbit/branches/2.0@1732460 13f79535-47bb-0310-9956-ffa450edef68

jackrabbit-jcr-server/src/main/java/org/apache/jackrabbit/server/io/DirListingExportHandler.java

@@ -166,7 +166,7 @@ public boolean exportContent(ExportContext context, boolean isCollection) throws
                             writer.print("/");
                         }
                         writer.print("\">");
-                        writer.print(label);
+                        writer.print(Text.encodeIllegalXMLCharacters(label));
                         writer.print("</a></li>");
                     }
                 }
@@ -226,7 +226,7 @@ public boolean exportContent(ExportContext context, DavResource resource) throws
                     writer.print("<li><a href=\"");
                     writer.print(child.getHref());
                     writer.print("\">");
-                    writer.print(label);
+                    writer.print(Text.encodeIllegalXMLCharacters(label));
                     writer.print("</a></li>");
                 }
                 writer.print("</ul><hr size=\"1\"><em>Powered by <a href=\"");