Ampersand (&) in site password creates invalid XML

[James]

I'm using FileZilla client 3.3.3 and when I use the ampersand (&) symbol in a password for a site it is stored in the XML file as '&' not '&amp;'. If I manually change it from '&' to '&amp;' then FileZilla is ok until I update the site or close and reopen FileZilla. Updating the site affects 'sitemanager.xml' and closing affects 'filezilla.xml' (<LastServer><Pass> tag), thus 'filezilla.xml' cannot be read and the default settings are used.

I've attached screen shots of the errors generated for each of these files.

[Tim Kosse]

I cannot reproduce this, ampersands work just fine here and are getting properly escaped.

Are you sure you are using version 3.3.3? Where did you download it from?

[James]

I am sure I am using version 3.3.3 and I downloaded it through FileZilla's built in updater.

The password that caused the error was '3tup4-@2q9&#xa+6zu2Us-ub', which I just now realized the '&#x' is used for hex.

Should FileZilla be looking for a semi-colon after '&#x' to verify whether or not the ampersand should be changed?

Seeing as how FileZilla seems to be quite thoroughly tested I'm fine with it amounting to me getting an unlucky password and I apologize for not doing more thorough testing on my own before posting.

[Tim Kosse]

The password that caused the error was '3tup4-@2q9&#xa+6zu2Us-ub', which I just now realized the '&#x' is used for hex.

Ah, that's the missing piece of the puzzle. Now that I can reproduce it, I should be able to fix this problem.

Without having looked into it yet, it appears to be a bug in TinyXML, the XML parser library used by FileZilla.

[Tim Kosse]

Definitely a bug in TinyXML.

I have created a patch and submitted it to the TinyXML project, see ​https://sourceforge.net/tracker/?func=detail&aid=3031828&group_id=13559&atid=313559

The fix will be included in the next version of FileZilla.