diff --git a/src/calibre/library/cli.py b/src/calibre/library/cli.py
index e49da584ca..280653b2c3 100644
--- a/src/calibre/library/cli.py
+++ b/src/calibre/library/cli.py
@@ -9,7 +9,7 @@ Command line interface to the calibre database.
import sys, os, cStringIO
from textwrap import TextWrapper
-from urllib import quote
+from xml.sax.saxutils import escape
from calibre import terminal_controller, preferred_encoding, prints
from calibre.utils.config import OptionParser, prefs
@@ -48,10 +48,10 @@ XML_TEMPLATE = '''\
${record['comments']}
${record['series']}
${record['isbn']}
- ${record['cover']}
+ ${escape(record['cover'].replace(os.sep, '/'))}
- ${path}
+ ${escape(path.replace(os.sep, '/'))}
@@ -78,9 +78,9 @@ STANZA_TEMPLATE='''\
urn:calibre:${record['uuid']}
${record['author_sort']}
${record['timestamp'].strftime('%Y-%m-%dT%H:%M:%SZ')}
-
-
-
+
+
+
@@ -186,7 +186,7 @@ def do_list(db, fields, sort_by, ascending, search_text, line_width, separator,
return o.getvalue()
elif output_format == 'xml':
template = MarkupTemplate(XML_TEMPLATE)
- return template.generate(data=data).render('xml')
+ return template.generate(data=data, os=os, escape=escape).render('xml')
elif output_format == 'stanza':
data = [i for i in data if i.has_key('fmt_epub')]
for x in data:
@@ -194,7 +194,7 @@ def do_list(db, fields, sort_by, ascending, search_text, line_width, separator,
x['fmt_epub'] = x['fmt_epub'].encode('utf-8')
template = MarkupTemplate(STANZA_TEMPLATE)
return template.generate(id="urn:calibre:main", data=data, subtitle=subtitle,
- sep=os.sep, quote=quote, updated=db.last_modified()).render('xml')
+ sep=os.sep, quote=escape, updated=db.last_modified()).render('xml')
def list_option_parser():
parser = get_parser(_(