Description: ------------ If a filename contains a correctly encoded entity in one of the package.xml tags, PEAR is decoding it when doing the packaging. <install as="Horde/Feed/fixtures/lexicon/http-p.moreover.com-cgi-local-page%2Fo=rss&s=Newsweek" name="test/Horde/Feed/fixtures/lexicon/http-p.moreover.com-cgi-local-page%2Fo=rss&s=Newsweek" /> turns into <install as="Horde/Feed/fixtures/lexicon/http-p.moreover.com-cgi-local-page%2Fo=rss&s=Newsweek" name="test/Horde/Feed/fixtures/lexicon/http-p.moreover.com-cgi-local-page%2Fo=rss&s=Newsweek" /> https://github.com/horde/horde/blob/24747aa1ad7c1e37fe15cc36e6dec3a911eeb824/framework/Feed/package.xml is an example.

Nice, the bug tracker does the same :-)

This is a bug with XML_Util. XML_Util::createTagFromArray() takes a $replaceEntities parameter that defines if the content of the tag should be xml-escaped or not. This parameter is mistakenly passed up to attributesToString() for which it was not meant at all, leading to the attribute values (including "name") not being escaped.

cweiske: so, it is here (https://github.com/pear/XML_Util/blob/trunk/XML/Util.php#L653) that the $replaceEntities value should have not been given, thus relying on attributeToString()'s default argument value of XML_UTIL_ENTITIES_XML instead?

Exactly.

Pull requests are opened for this fix in XML_Util and XML_Util2. cweiske, please have a look at my change to see if it solves the issue as you've isolated it in the PEAR installer use case.

cweiske confirmed on github PR that this patch solves the issue symptom as seen in PEAR installer usage.

PEAR 1.9.5 will depend on XML_Util 1.2.3, which fixes this issue.