From 825bd6f304b42ee53eef895a55191f2545f69228 Mon Sep 17 00:00:00 2001
From: Lorenz Stechauner <lorenz.stechauner@necronda.net>
Date: Mon, 12 Feb 2024 19:45:46 +0100
Subject: [PATCH] Export/Ebics: Escape client and member names

---
 Elwig/Helpers/Export/Ebics.cs  | 13 +++++++------
 Tests/Resources/Sql/Insert.sql |  4 ++++
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/Elwig/Helpers/Export/Ebics.cs b/Elwig/Helpers/Export/Ebics.cs
index eeb15c7..30fc506 100644
--- a/Elwig/Helpers/Export/Ebics.cs
+++ b/Elwig/Helpers/Export/Ebics.cs
@@ -5,6 +5,7 @@ using System.Collections.Generic;
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
+using System.Security;
 using System.Threading.Tasks;
 
 namespace Elwig.Helpers.Export {
@@ -52,7 +53,7 @@ namespace Elwig.Helpers.Export {
                    <CreDtTm>{DateTime.UtcNow:o}</CreDtTm>
                    <NbOfTxs>{nbOfTxs}</NbOfTxs>
                    <CtrlSum>{Transaction.FormatAmount(ctrlSum)}</CtrlSum>
-                   <InitgPty><Nm>{App.Client.NameFull}</Nm></InitgPty>
+                   <InitgPty><Nm>{SecurityElement.Escape(App.Client.NameFull)}</Nm></InitgPty>
                   </GrpHdr>
                   <PmtInf>
                    <PmtInfId>{pmtInfId}</PmtInfId>
@@ -60,7 +61,7 @@ namespace Elwig.Helpers.Export {
                    <NbOfTxs>{nbOfTxs}</NbOfTxs>
                    <CtrlSum>{Transaction.FormatAmount(ctrlSum)}</CtrlSum>
                    <ReqdExctnDt>{(Version >= 8 ? "<Dt>" : "")}{Date:yyyy-MM-dd}{(Version >= 8 ? "</Dt>" : "")}</ReqdExctnDt>
-                   <Dbtr><Nm>{App.Client.NameFull}</Nm></Dbtr>
+                   <Dbtr><Nm>{SecurityElement.Escape(App.Client.NameFull)}</Nm></Dbtr>
                    <DbtrAcct><Id><IBAN>{App.Client.Iban!.Replace(" ", "")}</IBAN></Id></DbtrAcct>
                    <DbtrAgt><FinInstnId>{(Version >= 4 ? "<BICFI>" : "<BIC>")}{App.Client.Bic ?? "NOTPROVIDED"}{(Version >= 4 ? "</BICFI>" : "</BIC>")}</FinInstnId></DbtrAgt>
                 """);
@@ -76,15 +77,15 @@ namespace Elwig.Helpers.Export {
                         <PmtId><EndToEndId>{id}</EndToEndId></PmtId>
                         <Amt><InstdAmt Ccy="{tx.Currency}">{Transaction.FormatAmount(tx.Amount)}</InstdAmt></Amt>
                         <Cdtr>
-                         <Nm>{a.Name[..Math.Min(140, a.Name.Length)]}</Nm>
+                         <Nm>{SecurityElement.Escape(a.Name[..Math.Min(140, a.Name.Length)])}</Nm>
                          <PstlAdr>
-                          <StrtNm>{a1?[..Math.Min(70, a1.Length)]}</StrtNm><BldgNb>{a2?[..Math.Min(16, a2.Length)]}</BldgNb>
-                          <PstCd>{a.PostalDest.AtPlz?.Plz}</PstCd><TwnNm>{a.PostalDest.AtPlz?.Ort.Name}</TwnNm>
+                          <StrtNm>{a1?[..Math.Min(70, a1.Length)]}</StrtNm><BldgNb>{SecurityElement.Escape(a2?[..Math.Min(16, a2.Length)])}</BldgNb>
+                          <PstCd>{a.PostalDest.AtPlz?.Plz}</PstCd><TwnNm>{SecurityElement.Escape(a.PostalDest.AtPlz?.Ort.Name)}</TwnNm>
                           <Ctry>{a.PostalDest.Country.Alpha2}</Ctry>
                          </PstlAdr>
                         </Cdtr>
                         <CdtrAcct><Id><IBAN>{tx.Member.Iban!}</IBAN></Id></CdtrAcct>
-                        <RmtInf><Ustrd>{info}</Ustrd></RmtInf>
+                        <RmtInf><Ustrd>{SecurityElement.Escape(info)}</Ustrd></RmtInf>
                        </CdtTrfTxInf>
                     """);
                 progress?.Report(100.0 * ++i / count);
diff --git a/Tests/Resources/Sql/Insert.sql b/Tests/Resources/Sql/Insert.sql
index 9c2244e..2539f0f 100644
--- a/Tests/Resources/Sql/Insert.sql
+++ b/Tests/Resources/Sql/Insert.sql
@@ -68,3 +68,7 @@ INSERT INTO member (mgnr, given_name, family_name, zwstid, volllieferant, buchf
 (102, 'Wernhardt', 'Weinbauer',   'X', FALSE, FALSE, 40, 222303524, 'Winzerstraße 2',    06109, 'AT123456789012345678'),
 (103, 'Matthäus',  'Musterbauer', 'X', FALSE, FALSE, 40, 212005138, 'Brünner Straße 10', 15224, 'AT123456789012345678'),
 (104, 'Waltraud',  'Winzer',      'X', FALSE, FALSE, 40, 212005138, 'Wiener Straße 15',  15224, 'AT123456789012345678');
+
+INSERT INTO member_billing_address (mgnr, name, country, postal_dest, address) VALUES
+(102, 'W&B Weinbauer GesbR',          40, 222303524, 'Winzerstraße 2'),
+(104, 'Weinbau Waltraud Winzer GmbH', 40, 212205137, 'Hauptstraße 1');