Custom attributes in `to_xml` not escaped properly

[ijsf]

It seems that if to_xml() is called to produce a XML file, certain conditions can cause a XML with invalid syntax to be produced.

This happens whenever there are custom attributes in a waypoint. Even though the regular attributes seem to escape properly (e.g. & to &), this validation doesn't seem to be done for the custom attributes. Here is an example of a failure case:

  <wpt lat="52.4824535" lon="13.4451467">
    <time>2024-02-12T12:48:53Z</time>
    <name>Du Beast drinks &amp; coffee</name>
    <desc>Innstraße 4, Neukölln</desc>
    <sym>amenity_pub</sym>
    <extensions>
      <osmand:amenity_name>Du Beast drinks & coffee</osmand:amenity_name>
      <osmand:amenity_origin>Amenity:Du Beast drinks & coffee: sustenance:bar</osmand:amenity_origin>
    </extensions>
  </wpt>

This is invalid XML cause there is a disallowed ampersand at line 7 (drinks & coffee).

This can easily be reproduced by using a GPX file with custom attributes (e.g. from OSMAnd in this case) that contain any of the special characters that are invalid in XML such as &.