From cb70db565afeedd168b821e9ed7f4162806b011f Mon Sep 17 00:00:00 2001
From: sychic <47618543+Sychic@users.noreply.github.com>
Date: Fri, 17 Apr 2026 11:55:16 -0400
Subject: [PATCH 1/3] fix(maven): return escaped summary for project
 description

---
 apps/labrinth/src/routes/maven.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/labrinth/src/routes/maven.rs b/apps/labrinth/src/routes/maven.rs
index 109967a64d..6fc8ebe23d 100644
--- a/apps/labrinth/src/routes/maven.rs
+++ b/apps/labrinth/src/routes/maven.rs
@@ -329,7 +329,7 @@ pub async fn version_file(
             artifact_id: project_id,
             version: vnum,
             name: project.inner.name,
-            description: project.inner.description,
+            description: format!(r#""{}""#, project.inner.summary),
         };
         return Ok(HttpResponse::Ok()
             .content_type("text/xml")

From 41d657faea7fe75ea101cff040f9d2aaa31f1575 Mon Sep 17 00:00:00 2001
From: sychic <47618543+Sychic@users.noreply.github.com>
Date: Fri, 17 Apr 2026 18:08:56 -0400
Subject: [PATCH 2/3] build: add quickxml to labrinth

---
 Cargo.lock               | 1 +
 apps/labrinth/Cargo.toml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index 2072ef3b22..f0774aa0e2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4941,6 +4941,7 @@ dependencies = [
  "paste",
  "path-util",
  "prometheus",
+ "quick-xml 0.38.3",
  "rand 0.8.5",
  "rand_chacha 0.3.1",
  "redis",
diff --git a/apps/labrinth/Cargo.toml b/apps/labrinth/Cargo.toml
index 81840f5ac7..40639cd44e 100644
--- a/apps/labrinth/Cargo.toml
+++ b/apps/labrinth/Cargo.toml
@@ -80,6 +80,7 @@ murmur2 = { workspace = true }
 paste = { workspace = true }
 path-util = { workspace = true }
 prometheus = { workspace = true }
+quick-xml = { workspace = true }
 rand = { workspace = true }
 rand_chacha = { workspace = true }
 redis = { workspace = true, features = ["ahash", "r2d2", "tokio-comp"] }

From 87028c7f9128f94518877508574db5c4cde10a4b Mon Sep 17 00:00:00 2001
From: sychic <47618543+Sychic@users.noreply.github.com>
Date: Fri, 17 Apr 2026 18:09:37 -0400
Subject: [PATCH 3/3] fix(maven): use quickxml to escape xml special chars

---
 apps/labrinth/src/routes/maven.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/labrinth/src/routes/maven.rs b/apps/labrinth/src/routes/maven.rs
index 6fc8ebe23d..b9bc10d779 100644
--- a/apps/labrinth/src/routes/maven.rs
+++ b/apps/labrinth/src/routes/maven.rs
@@ -13,6 +13,7 @@ use crate::queue::session::AuthQueue;
 use crate::routes::ApiError;
 use crate::{auth::get_user_from_headers, database};
 use actix_web::{HttpRequest, HttpResponse, get, route, web};
+use quick_xml::escape::escape;
 use std::collections::HashSet;
 use yaserde::YaSerialize;
 
@@ -329,7 +330,7 @@ pub async fn version_file(
             artifact_id: project_id,
             version: vnum,
             name: project.inner.name,
-            description: format!(r#""{}""#, project.inner.summary),
+            description: escape(project.inner.summary).into_owned(),
         };
         return Ok(HttpResponse::Ok()
             .content_type("text/xml")