xml escape ampersands to avoid XML parse error on valid urls.

liquidpele · web-flow · commit 7a55ebfe454e · 2016-11-08T18:30:08.000-05:00
diff --git a/djangosaml2/utils.py b/djangosaml2/utils.py
@@ -51,7 +51,7 @@ def get_location(http_info):
 def get_hidden_form_inputs(html):
     """ Extracts name/value pairs from hidden input tags in an html form."""
     pairs = dict()
-    tree = ElementTree.fromstring(html, forbid_dtd=True)
+    tree = ElementTree.fromstring(html.replace('&', '&amp;'), forbid_dtd=True)
     # python 2.6 doesn't have iter
     if hasattr(tree, 'iter'):
         node_iter = tree.iter()
