diff --git a/js/breadcrumb.js b/js/breadcrumb.js index 09b0a6d81..de0afba07 100644 --- a/js/breadcrumb.js +++ b/js/breadcrumb.js @@ -69,8 +69,8 @@ $(function() if (sTitle.length == 0) { sTitle = oEntry['label']; } - sTitle = SanitizeHtml(sTitle, false); - sLabel = SanitizeHtml(sLabel, false); + sTitle = EncodeHtml(sTitle, false); + sLabel = EncodeHtml(sLabel, false); if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) { // Last entry is the current page diff --git a/js/utils.js b/js/utils.js index df08ad4ae..2a94a2372 100644 --- a/js/utils.js +++ b/js/utils.js @@ -681,16 +681,16 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) { /** * @param sValue value to escape - * @param bReplaceAmp if false don't replace "&" (can be useful when dealing with html entities) - * @returns {string} sanitized value, ready to insert in the DOM without XSS risk + * @param bReplaceAmp if false don't replace "&" (can be useful when sValue contrains html entities we want to keep) + * @returns {string} escaped value, ready to insert in the DOM without XSS risk * * @since 2.6.5, 2.7.2, 3.0.0 N°3332 * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for * example the text() JQuery way) isn't safe */ -function SanitizeHtml(sValue, bReplaceAmp) { - var sSanitizedValue = (sValue+'') +function EncodeHtml(sValue, bReplaceAmp) { + var sEncodedValue = (sValue+'') .replace(//g, '>') .replace(/"/g, '"') @@ -698,10 +698,10 @@ function SanitizeHtml(sValue, bReplaceAmp) { .replace(/\//g, '/'); if (bReplaceAmp) { - sSanitizedValue = sSanitizedValue.replace(/&/g, '&'); + sEncodedValue = sEncodedValue.replace(/&/g, '&'); } - return sSanitizedValue; + return sEncodedValue; } // Very simple equivalent to format: placeholders are %1$s %2$d ...