]]> in CDATA is not escaped

[Turbo87]

I'm using the rss crate in the crates.io codebase, which uses quick-xml under the hood and for certain fields performs:

self.write_event(Event::Start(BytesStart::new(name)))?;
self.write_event(Event::CData(BytesCData::new(text.as_ref())))?;
self.write_event(Event::End(BytesEnd::new(name)))?;

According to https://en.wikipedia.org/wiki/CDATA#Nesting in a CDATA section ]]> needs to be encoded as ]]]]><![CDATA[> to not accidentally close the CDATA section.

When I'm using my test string ("let's try & break this <item> ]]>, shall we?") however, I currently see this in the output:

<![CDATA[let's try & break this <item> ]]>, shall we?]]>

Apologies if this was already reported, but I couldn't find a matching issue. Is the escaping of ]]> the responsibility of the caller in this case?

I noticed that the BytesCData documentation says:

Note, that inner text will not contain ]]> sequence inside

but that does not seem to be targeted at people using the library for serializing CDATA sections.

Related:

• ]]> in CDATA is not escaped rust-syndication/rss#173
• Fix CDATA handling #374

[Mingun]

Yes, creating some events requires manual escape of illegal data. When I starting documenting writing methods (that attempts never was public) I found this issue and planned to fix it, but never had time to do that. We need to change creation API for these events to return an iterator over events instead of single event. Something like:

impl BytesCData {
  pub fn new(content: &str) -> impl Iterator<BytesCData> { ... }
}

Comment event also suffers from that problem.

PR to implement this API is welcomed.