Major Bug's Description:
The API endpoint /transactions/oauth_authorize.xml generates invalid XML if the configured redirect-url contains an ampersand (&). In that scenario, the XML returned contains an ampersand and therefore it's not a valid XML file since "&" is a reserved character in XML spec so must be escaped [1].
Steps to reproduce:
1. Create application for a product that uses OpenID Connect as authentication.
2. Edit redirect URL of created application
3. Set a redirect URL that contains an ampersand (&)
i.e.
https://example.com?foo=bar&foo2=bar2
4. Using the service ID, backend token of the API which the application was created on and the app_id of the application, call the endpoint /transactions/oauth_authorize.xml
i.e
curl -v -X GET "https://example3scale-url/transactions/oauth_authorize.xml?service_token=AAAAAAA&service_id=2555417970930&access_token=BBBBBBB&app_id=161314cc"
Current behavior:
Element status/application/redirect_url shows an ampersand (&) therefore not encoding is applied.
<?xml version="1.0" encoding="UTF-8"?>
<status>
<authorized>true</authorized>
<application>
<id>3205577c</id>
<key>303e42f0149760701983c6679f082e8f</key>
<redirect_url>https://example.com?foo=bar&foo2=bar2</redirect_url>
</application>
<plan>neo-basic</plan>
</status>
Expected behavior:
Element status/application/redirect_url contains the XML encoded variant of the ampersand (&)
<?xml version="1.0" encoding="UTF-8"?>
<status>
<authorized>true</authorized>
<application>
<id>3205577c</id>
<key>303e42f0149760701983c6679f082e8f</key>
<redirect_url>https://example.com?foo=bar&foo2=bar2</redirect_url>
</application>
<plan>neo-basic</plan>
</status>
