Detect already escaped ampersands

Author: xrl

lib/xml_security.rb

@@ -90,7 +90,7 @@ def validate_doc(base64_cert, soft = true)
 
         hashed_element                = document.at_xpath("//*[@ID='#{uri[1..-1]}']")
         canon_algorithm               = canon_algorithm REXML::XPath.first(ref, '//ds:CanonicalizationMethod', 'ds' => DSIG)
-        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub('&','&')
+        canon_hashed_element          = hashed_element.canonicalize(canon_algorithm, inclusive_namespaces).gsub(/&(?!amp;)/,'&')
 
         digest_algorithm              = algorithm(REXML::XPath.first(ref, "//ds:DigestMethod"))