Bug #27189: Fix xml-escape

When creating XML from scratch, the user supplied values need to be escaped.
diff --git a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
index c7c82c6..e60daab 100644
--- a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
+++ b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/node.py
@@ -56,6 +56,7 @@ import errno
 import fnmatch
 import re
 import random
+from xml.sax.saxutils import escape as xml_escape
 try:
 	import xml.etree.ElementTree as ET
 except ImportError:
@@ -1590,7 +1591,7 @@ def domain_snapshot_create(uri, domain, snapshot):
 		if dom_stat.pd.snapshots is None:
 			raise NodeError(_('Snapshot not supported "%(node)s"'), node=uri)
 		old_state = dom_stat.key()
-		xml = '''<domainsnapshot><name>%s</name></domainsnapshot>''' % snapshot
+		xml = '''<domainsnapshot><name>%s</name></domainsnapshot>''' % (xml_escape(snapshot),)
 		s = dom.snapshotCreateXML(xml, 0)
 
 		dom_stat.update(dom)
diff --git a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
index a544230..cfae567 100644
--- a/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
+++ b/branches/ucs-3.0/ucs/virtualization/univention-virtual-machine-manager-daemon/src/univention/uvmm/storage.py
@@ -42,6 +42,7 @@ from protocol import Disk, Data_Pool
 import os.path
 import univention.config_registry as ucr
 import time
+from xml.sax.saxutils import escape as xml_escape
 
 configRegistry = ucr.ConfigRegistry()
 configRegistry.load()
@@ -63,8 +64,8 @@ def create_storage_pool(conn, dir, pool_name='default'):
 		</target>
 	</pool>
 	''' % {
-			'pool': pool_name,
-			'path': dir,
+			'pool': xml_escape(pool_name),
+			'path': xml_escape(dir),
 			}
 	try:
 		p = conn.storagePoolDefineXML(xml, 0)
@@ -127,7 +128,7 @@ def create_storage_volume(conn, domain, disk):
 		size = 8 << 30 # GiB
 
 	values = {
-			'name': os.path.basename(disk.source),
+			'name': xml_escape(os.path.basename(disk.source)),
 			'size': size,
 			}
 
@@ -137,7 +138,7 @@ def create_storage_volume(conn, domain, disk):
 	pool_type = doc.firstChild.getAttribute('type')
 	if pool_type in ('dir', 'fs', 'netfs'):
 		if hasattr(disk, 'driver_type') and disk.driver_type not in (None, 'iso', 'aio'):
-			values['type'] = disk.driver_type
+			values['type'] = xml_escape(disk.driver_type)
 		else:
 			values['type'] = 'raw'
 		# permissions