[bug] some characters aren't properly escaped in generated XML files on Windows

[bifs]

Describe the bug

tauri build --verbose gives this error:

Running [tauri_bundler::bundle::windows::msi::wix] candle for "main.wxs"
     Running [tauri_bundler::bundle::common] Command `C:\Users\me\AppData\Local\tauri/WixTools\candle.exe  -arch x64 main.wxs -dSourceDir=D:\docs\repos\my-app\src-tauri\target\release\my-app.exe`
Windows Installer XML Toolset Compiler version 3.11.2.4516
Copyright (c) .NET Foundation and contributors. All rights reserved.

main.wxs
D:\docs\repos\my-app\src-tauri\target\release\wix\x64\main.wxs(103) : error CNDL0104 : Not a valid source file; detail: An error occurred while parsing EntityName. Line 103, position 690211.
       Error [tauri_cli_node] failed to bundle project: error running candle.exe

where Line 103, position 690211 points to an & character, which should be escaped as & for the XML to be valid.

// main.wxs, around 103:690211
<Component Id="I5da52d87de654b5885e857b2d70119f8" Guid="9767c26b-f332-4078-9a8e-c02c11a73330" Win64="$(var.Win64)" KeyPath="yes"><File Id="PathFile_I5da52d87de654b5885e857b2d70119f8" Source="D:\docs\repos\my-app\src-tauri\bin\blend-utils\_internal\bpy\4.0\scripts\presets\camera\Blackmagic_Pocket_&_Studio.py" /></Component>

The & character was introduced from here:

tauri/tooling/bundler/src/bundle/windows/msi/wix.rs

Lines 120 to 127 in 80a215a

	files.push_str(
	format!(
	r#"<Component Id="{id}" Guid="{guid}" Win64="$(var.Win64)" KeyPath="yes"><File Id="PathFile_{id}" Source="{path}" /></Component>"#,
	id = file.id,
	guid = file.guid,
	path = file.path.display()
	).as_str()
	);

and rendered by handlebars:

tauri/tooling/bundler/src/bundle/windows/msi/wix.rs

Lines 683 to 684 in 80a215a

	let main_wxs_path = output_path.join("main.wxs");
	write(main_wxs_path, handlebars.render("main.wxs", &data)?)?;

Reproduction

on Windows,

1. create tauri-app -y
2. cd tauri-app
3. touch "src-tauri/&ice.cream" and bundle it as a resource

{
  "tauri": {
    "bundle": {
      "identifier": "com.tauri.dev1",
      "resources": [
        "&ice.cream"
      ],
      // ...
    }
    // ...
  }
  // ...
}

4. pnpm i
5. pnpm tauri build --verbose

then it would print the error above.

Expected behavior

The bundling process should be successful.

Full tauri info output

[✔] Environment
    - OS: Windows 10.0.22631 X64
    ✔ WebView2: 122.0.2365.52
    ✔ MSVC:
        - Visual Studio Build Tools 2017
        - Visual Studio Build Tools 2022
        - Visual Studio Community 2022
    ✔ rustc: 1.74.1 (a28077b28 2023-12-04)
    ✔ cargo: 1.74.1 (ecb9851af 2023-10-18)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-x86_64-pc-windows-msvc (default)
    - node: 20.5.1
    - pnpm: 8.6.7
    - npm: 9.8.0

[-] Packages
    - tauri [RUST]: 1.6.1
    - tauri-build [RUST]: 1.5.1
    - wry [RUST]: 0.24.7
    - tao [RUST]: 0.16.7
    - @tauri-apps/api [NPM]: 1.5.3
    - @tauri-apps/cli [NPM]: 1.5.10

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../dist
    - devPath: http://localhost:1420/
    - framework: SolidJS
    - bundler: Vite

Stack trace

No response

Additional context

I've found the default escaping behavior is disabled intentionally (possibly to render XML elements from a raw string):

tauri/tooling/bundler/src/bundle/windows/msi/wix.rs

Line 582 in 80a215a

handlebars.register_escape_fn(handlebars::no_escape);

and I can solve this issue by applying the default behavior to the problematic strings.
https://github.com/sunng87/handlebars-rust/blob/3b69fb320230374b39a5c7401c5bed817b133696/src/registry.rs#L41-L51
https://github.com/sunng87/handlebars-rust/blob/3b69fb320230374b39a5c7401c5bed817b133696/src/support.rs#L42-L58

- use handlebars::{to_json, Handlebars};
+ use handlebars::{html_escape, to_json, Handlebars};
// ..
      files.push_str(
        format!(
          r#"<Component Id="{id}" Guid="{guid}" Win64="$(var.Win64)" KeyPath="yes"><File Id="PathFile_{id}" Source="{path}" /></Component>"#,
          id = file.id,
          guid = file.guid,
-          path = file.path.display()
+          path = html_escape(&file.path.display().to_string())
        ).as_str()
      );
// ..
      format!(
        r#"<Directory Id="I{id}" Name="{name}">{files}{directories}</Directory>"#,
        id = Uuid::new_v4().as_simple(),
-        name = self.name,
+        name = html_escape(&self.name),
        files = files,
        directories = directories,
      )

I've tested this works by building cli.win32-x64-msvc.node and putting it in node_modules/@tauri-apps/cli.

I couldn't open a PR because I'm not sure this is a right way/style to fix it.
I'd appreciate any kind of comments. Thanks in advance.

[amrbashir]

@bifs thank you for tracking this down. Applying the default html escape on the path only should be fine, feel free to open a PR