From b2492dec6744712732362bfd20d5c21ee017a433 Mon Sep 17 00:00:00 2001
From: Rachel Fenichel <fenichel@google.com>
Date: Fri, 18 Aug 2017 11:18:49 -0700
Subject: [PATCH] Escape variable names correctly when serializing to XML
 (#1279)

---
 core/variables.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/core/variables.js b/core/variables.js
index ac952844e..5b37a7000 100644
--- a/core/variables.js
+++ b/core/variables.js
@@ -352,9 +352,14 @@ Blockly.Variables.promptName = function(promptText, defaultText, callback) {
  * @private
  */
 Blockly.Variables.generateVariableFieldXml_ = function(variableModel) {
-  var xmlString = '<field name="VAR" ' + 'variableType="' +
-      variableModel.type + '" id="' + variableModel.getId() + '">'+
-      variableModel.name +
-      '</field>';
+  // The variable name may be user input, so it may contain characters that need
+  // to be escaped to create valid XML.
+  var element = goog.dom.createDom('field');
+  element.setAttribute('name', 'VAR');
+  element.setAttribute('variableType', variableModel.type);
+  element.setAttribute('id', variableModel.getId());
+  element.textContent = variableModel.name;
+
+  var xmlString = Blockly.Xml.domToText(element);
   return xmlString;
 };