XML entities in attributes are not escaped

[jbeard4]

It seems XML entities get escaped in text, but not in attributes.

Here is a reduced test case, based on the example in the README:

var util = require('util');
var xml = require("node-xml");

var parser = new xml.SaxParser(function(cb) {
  cb.onStartDocument(function() {

  });
  cb.onEndDocument(function() {

  });
  cb.onStartElementNS(function(elem, attrs, prefix, uri, namespaces) {
      util.log("=> Started: " + elem + " uri="+uri +" (Attributes: " + JSON.stringify(attrs) + " )");
  });
  cb.onEndElementNS(function(elem, prefix, uri) {
      util.log("<= End: " + elem + " uri="+uri + "\n");
         parser.pause();// pause the parser
         setTimeout(function (){parser.resume();}, 200); //resume the parser
  });
  cb.onCharacters(function(chars) {
      util.log('<CHARS>'+chars+"</CHARS>");
  });
  cb.onCdata(function(cdata) {
      util.log('<CDATA>'+cdata+"</CDATA>");
  });
  cb.onComment(function(msg) {
      util.log('<COMMENT>'+msg+"</COMMENT>");
  });
  cb.onWarning(function(msg) {
      util.log('<WARNING>'+msg+"</WARNING>");
  });
  cb.onError(function(msg) {
      util.log('<ERROR>'+JSON.stringify(msg)+"</ERROR>");
  });
});


//example read from chunks
parser.parseString('<html><body foo="&quot; this does not &gt; get escaped &quot;"> &quot; but &gt; this does &quot;</body></html>');

Which produces:

28 Mar 12:34:00 - => Started: html uri=null (Attributes: [] )
28 Mar 12:34:00 - => Started: body uri=null (Attributes: [["foo","" this does not > get escaped ""]] )
28 Mar 12:34:00 - <CHARS> </CHARS>
28 Mar 12:34:00 - <CHARS>"</CHARS>
28 Mar 12:34:00 - <CHARS> but </CHARS>
28 Mar 12:34:00 - <CHARS>></CHARS>
28 Mar 12:34:00 - <CHARS> this does </CHARS>
28 Mar 12:34:00 - <CHARS>"</CHARS>
28 Mar 12:34:00 - <= End: body uri=null

28 Mar 12:34:01 - <= End: html uri=null