Fix XML escaping for release notes with special characters#758
Open
JLaPenn wants to merge 2 commits intovelopack:developfrom
Open
Fix XML escaping for release notes with special characters#758JLaPenn wants to merge 2 commits intovelopack:developfrom
JLaPenn wants to merge 2 commits intovelopack:developfrom
Conversation
added 2 commits
January 6, 2026 13:30
Release notes containing XML special characters (specifically ampersands) would cause System.Xml.XmlException during package creation when the nuspec file was parsed. This fix ensures all release notes content is properly escaped using SecurityElement.Escape() before being added to the nuspec XML. For any content that remains invalid after escaping, it falls back to CDATA wrapping with proper handling of ]]> sequences. Added comprehensive unit tests that validate the escaping logic works correctly for all problematic content including XML chars, unicode, control characters, CDATA-like sequences, and very long content. Fixes velopack#666
Previous approach used SecurityElement.Escape() which converted special characters like & to &, < to <, etc. This caused content to be altered when round-tripped through the package - users would see & instead of & in their release notes. CDATA treats all content as literal text, so no escaping is needed. Only special case is ]]> which terminates CDATA - split it into ]]]]><![CDATA[> to preserve the sequence. - Remove SecurityElement.Escape() from PackageBuilder.addMetadata() - Always wrap content in CDATA - Add unit tests verifying ]]> preservation and no double-escaping - Fixes velopack#666
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release notes containing XML special characters (specifically ampersands) would cause System.Xml.XmlException during package creation when the nuspec file was parsed.
The new approach opts to always wrap metadata in CDATA tags.
Initial implementation using SecurityElement.IsValidText did not catch Ampersands as it is technically valid text for XML content.
This meant that Ampersands made it to the XML parsing step that were not escaped appropriately by a CDATA wrapper.
The change here does two things.
]]>in metadata inputs and wraps it in additional CDATA wrappers to prevent issues with unintended CDATA wrapper exits.This fix ensures all release notes content is properly escaped before being added to the nuspec XML.
Added comprehensive unit tests that validate the escaping logic works correctly for all problematic content including XML chars, unicode, control characters, CDATA-like sequences, and very long content.
Fixes #666