From ffbc37a00c0245a5ad6aa87d8aa34f677da698c5 Mon Sep 17 00:00:00 2001
From: Michael Kuron <1748330+mkuron@users.noreply.github.com>
Date: Sat, 2 May 2026 16:24:01 +0200
Subject: [PATCH] Escape generated password in mobileconfig

Escape ampersand, less than, greater than to avoid generating invalid XML.

Fixes #7171
---
 data/web/mobileconfig.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/web/mobileconfig.php b/data/web/mobileconfig.php
index 7c0ead7f5..c57c48857 100644
--- a/data/web/mobileconfig.php
+++ b/data/web/mobileconfig.php
@@ -65,6 +65,7 @@ if (isset($_GET['app_password'])) {
       $attr['protocols'][] = 'dav_access';
   }
   app_passwd("add", $attr);
+  $password = htmlspecialchars($password, ENT_NOQUOTES);
 } else {
   $app_password = false;
 }