To resolve this, we now fully escape (hopefully) every value from extensions that makes its way into XML, so now the characters:
" ' < > &
can be used anywhere in extensions without issues, even opcodes, argument names, field names, etc. Just not the extension ID.
Some parts of Scratch such as ExtensionManager._sanitizeID and Runtime._convertPlaceholders tried to explicitly remove XML characters, however the code was broken (they only removed the first occurrence) and this seems like the wrong fix anyways. We can use XML characters, they just need to be escaped.
While this is not believed to cause security bugs as this is not interpeted as HTML, the inconsistent/no escaping causes bugs such as: https://github.com/TurboWarp/extensions/issues/241
To resolve this, we now fully escape (hopefully) every value from extensions that makes its way into XML, so now the characters: " ' < > & can be used anywhere in extensions without issues, even opcodes, argument names, field names, etc. Just not the extension ID.
Some parts of Scratch such as ExtensionManager._sanitizeID and Runtime._convertPlaceholders tried to explicitly remove XML characters, however the code was broken (they only removed the first occurrence) and this seems like the wrong fix anyways. We can use XML characters, they just need to be escaped.
Also includes a very comprehensive test.