Invalid XML attributes due to characters not escaped

[jer-sen]

For example, a & in ACS URL is not replaced by & in the loginRequestRedirectURL function so the generated XML is not valid and authentication fails.
More important, this could lead to security issues (XML injection).

Solution: do NOT use replaceTagsByValue in an XML template without escaping the values!

[tngan]

@jer-sen replaceTagsByValue is definitely not the optimal function to construct xml, it's doing string interpolation. I will draft a new function and add a deprecation warning for this function.

[Munawwar]

@tngan I have a fix at https://github.com/Carriyo/samlify/tree/xml-entity-escape (though tests werent working for me. There is an issue with test setup, which is topic for another discussion. once tests are running, tests pass.)

The assumption is that if an interpolation begins with a double quote (e.g. "{ID}) then its an interpolation within an XML attribute that needs character entity escaping. This assumption seems to hold for your current templates.

Raised a PR: #523. I haven't followed all the repo conventions yet. I could do those as another commit on the branch.