File name should be html-escaped

os97673 · os97673 · commit a96a0af08f52 · 2015-01-30T12:44:47.000+03:00
diff --git a/lib/ruby-debug-ide/xml_printer.rb b/lib/ruby-debug-ide/xml_printer.rb
@@ -79,7 +79,7 @@ def print_frame(context, frame_id, current_frame_id)
       # idx + 1: one-based numbering as classic-debugger
       file = context.frame_file(frame_id)
       print "<frame no=\"%s\" file=\"%s\" line=\"%s\" #{"current='true' " if frame_id == current_frame_id}/>",
-        frame_id + 1, File.expand_path(file), context.frame_line(frame_id)
+        frame_id + 1, CGI.escapeHTML(File.expand_path(file)), context.frame_line(frame_id)
     end
     
     def print_contexts(contexts)
@@ -282,7 +282,7 @@ def print_trace(context, file, line)
     
     def print_at_line(context, file, line)
       print "<suspended file=\"%s\" line=\"%s\" threadId=\"%d\" frames=\"%d\"/>",
-        File.expand_path(file), line, context.thnum, context.stack_size
+            CGI.escapeHTML(File.expand_path(file)), line, context.thnum, context.stack_size
     end
     
     def print_exception(exception, _)
