Make xml_convert escape any character > 0x7F, and use xml_convert to escape the

value of the "args" attribute.

On Windows, I created a user account with the name "Kurt Gödel". When I ran a
scan in Zenmap, Nmap created a temporary XML file that started like

<?xml version="1.0" ?>
<?xml-stylesheet href="nmap.xsl" type="text/xsl"?>
<!-- Nmap 4.75 scan initiated Wed Sep 10 11:16:58 2008 as: nmap -T4 -F -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml 192.168.0.1 -->
<nmaprun scanner="nmap" args="nmap -T4 -F -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml 192.168.0.1" start="1221067018" startstr="Wed Sep 10 11:16:58 2008" version="4.75" xmloutputversion="1.02">

Notice the ö characters in the file names. They were not in UTF-8 but probably
whatever the filesystem encoding is. Because Nmap's XML does not declare an
encoding, it defaults to UTF-8, meaning this particular file was not even
well-formed. In Zenmap it caused a crash like

CRASH REPORTED:
SYS.PLATFORM: win32
OS.NAME: nt
Zenmap Version: 4.75
TRACEBACK:
Traceback (most recent call last):
  File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 387, in verify_execution
    self.load_from_command(scan)
  File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 400, in load_from_command
    parsed = self._parse(command.get_xml_output_filename())
  File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 444, in _parse
    parsed.parse_file(file_to_parse)
  File "C:\cygwin\home\david\nmap\zenmap\zenmapCore\NmapParser.py", line 749, in parse_file
    self.parse(f)
  File "C:\cygwin\home\david\nmap\zenmap\zenmapCore\NmapParser.py", line 743, in parse
    self.parser.parse(f)
  File "c:\Python25\lib\xml\sax\expatreader.py", line 107, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "c:\Python25\lib\xml\sax\xmlreader.py", line 123, in parse
    self.feed(buffer)
  File "c:\Python25\lib\xml\sax\expatreader.py", line 211, in feed
    self._err_handler.fatalError(exc)
  File "c:\Python25\lib\xml\sax\handler.py", line 38, in fatalError
    raise exception
SAXParseException: c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml:3:92: not well-formed (invalid token)

Plus Internet Explorer wouldn't even open it.

This change escapes the XML so it looks like

<?xml version="1.0" ?>
<?xml-stylesheet href="nmap.xsl" type="text/xsl"?>
<!-- Nmap 4.75 scan initiated Wed Sep 10 11:52:19 2008 as: nmap -PE -PA21,23,80,3389 -A -v -T4 -oX c:\docume~1\kurtg&#xF6;~1\locals~1\temp\zenmap-zih7f5.xml 192.168.0.1 -->
<nmaprun scanner="nmap" args="nmap -PE -PA21,23,80,3389 -A -v -T4 -oX c:\docume~1\kurtg&#xF6;~1\locals~1\temp\zenmap-zih7f5.xml 192.168.0.1" start="1221069139" startstr="Wed Sep 10 11:52:19 2008" version="4.75" xmloutputversion="1.02">

output.cc

@@ -890,39 +890,47 @@ char* xml_convert (const char* str) {
   char *end = temp + strl * 6 + 1;
   for (p = temp;(prevch = ch, ch = *str);str++) {
     const char *a;
-    switch (ch) {
-    case '\t':
-      a = "	";
-      break;
-    case '\r':
-      a = "
";
-      break;
-    case '\n':
-      a = "
";
-      break;
-    case '<':
-      a = "&lt;";
-      break;
-    case '>':
-      a = "&gt;";
-      break;
-    case '&':
-      a =  "&amp;";
-      break;
-    case '"':
-      a = "&quot;";
-      break;
-    case '\'':
-      a = "&apos;";
-      break;
-    case '-': 
-      if (prevch == '-') { /* Must escape -- for comments */
-        a =  "&#45;";
+    if ((unsigned char) ch > 0x7F) {
+      /* Escape anything outside of ASCII--we have to emit UTF-8 and an easy
+         way to do that is to emit ASCII. */
+      char buf[32];
+      Snprintf(buf, sizeof(buf), "&#x%02X;", (unsigned char) ch);
+      a = buf;
+    } else {
+      switch (ch) {
+      case '\t':
+        a = "&#x9;";
         break;
+      case '\r':
+        a = "&#xd;";
+        break;
+      case '\n':
+        a = "&#xa;";
+        break;
+      case '<':
+        a = "&lt;";
+        break;
+      case '>':
+        a = "&gt;";
+        break;
+      case '&':
+        a =  "&amp;";
+        break;
+      case '"':
+        a = "&quot;";
+        break;
+      case '\'':
+        a = "&apos;";
+        break;
+      case '-': 
+        if (prevch == '-') { /* Must escape -- for comments */
+          a =  "&#45;";
+          break;
+        }
+      default:
+        *p++ = ch;
+        continue;
       }
-    default:
-      *p++ = ch;
-      continue;
     }
     assert(end - p > 1);
     Strncpy(p,a, end - p - 1); p += strlen(a); // SAFE