N°3332 Security hardening

2026-05-19 15:22:17 +02:00 · 2020-09-23 17:17:05 +02:00
parent 228a945da9
commit 1e634a8bba
2 changed files with 32 additions and 15 deletions
--- a/js/breadcrumb.js
+++ b/js/breadcrumb.js
@@ -59,24 +59,25 @@ $(function()
 					var oEntry = aBreadCrumb[iEntry];
 					if (oEntry['label'].length > 0)
 					{
-                        var sIconSpec = '';
-                        if (oEntry['icon'].length > 0)
-                        {
-                            sIconSpec = '<span class="icon"><img src="'+oEntry['icon']+'"/></span>';
-                        }
-						var sTitle = oEntry['description'];
+						var sIconSpec = '';
+						if (oEntry['icon'].length > 0) {
+							sIconSpec = '<span class="icon"><img src="'+oEntry['icon']+'"/></span>';
+						}
+
+						var sTitle = oEntry['description'],
+							sLabel = oEntry['label'];
 						if (sTitle.length == 0) {
 							sTitle = oEntry['label'];
 						}
-						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length - 1))
-						{
+						sTitle = SanitizeHtml(sTitle);
+						sLabel = SanitizeHtml(sLabel);
+
+						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) {
 							// Last entry is the current page
-							sBreadCrumbHtml += '<div class="breadcrumb-item breadcrumb-current" breadcrumb-entry="'+iEntry+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+oEntry['label']+'</span></div>';
-						}
-						else
-						{
+							sBreadCrumbHtml += '<div class="breadcrumb-item breadcrumb-current" breadcrumb-entry="'+iEntry+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+sLabel+'</span></div>';
+						} else {
 							var sSanitizedUrl = StripArchiveArgument(oEntry['url']);
-							sBreadCrumbHtml += '<div class="breadcrumb-item"><a class="breadcrumb-link" breadcrumb-entry="'+iEntry+'" href="'+sSanitizedUrl+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+oEntry['label']+'</span></a></div>';
+							sBreadCrumbHtml += '<div class="breadcrumb-item"><a class="breadcrumb-link" breadcrumb-entry="'+iEntry+'" href="'+sSanitizedUrl+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+sLabel+'</span></a></div>';
 						}
 					}
 				}
--- a/js/utils.js
+++ b/js/utils.js
@@ -669,6 +669,23 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {
 	);
 }

+/**
+ * @param sValue value to escape
+ * @returns {string} sanitized value, ready to insert in the DOM without XSS risk
+ *
+ * @since 2.6.5, 2.7.2, 2.8.0 N°3332
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
+ */
+function SanitizeHtml(sValue) {
+	return (sValue+'')
+		.replace(/&/g, '&amp;')
+		.replace(/</g, '&lt;')
+		.replace(/>/g, '&gt;')
+		.replace(/"/g, '&quot;')
+		.replace(/'/g, '&#x27;')
+		.replace(/\//g, '&#x2F;');
+}
+
 // Very simple equivalent to format: placeholders are %1$s %2$d ...
 function Format() {
 	var args = [];
@@ -676,8 +693,7 @@ function Format() {
 	if (arguments[0] instanceof Array) {
 		str = arguments[0][0].toString();
 		args = arguments[0];
-	}
-	else {
+	} else {
 		str = arguments[0].toString();
 		if (arguments.length > 1) {
 			var t = typeof arguments[1];