Merge remote-tracking branch 'origin/develop' into feature/backoffice-full-moon-design

# Conflicts: # js/components/breadcrumbs.js
2026-04-20 00:58:48 +02:00 · 2020-10-12 12:51:05 +02:00
parent b7b1ef1a1f 72fc22c49a
commit 5b2c279eac
3 changed files with 18 additions and 16 deletions
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -1017,16 +1017,11 @@ class utils

 	/**
 	 * Get the _SESSION variable for logging purpose
-	 * @return false|string
+	 * @return string
 	 */
 	public static function GetSessionLog()
 	{
-		ob_start();
-		print_r($_SESSION);
-		$sSessionLog = ob_get_contents();
-		ob_end_clean();
-
-		return $sSessionLog;
+		return print_r($_SESSION, true);
 	}

 	 static function DebugBacktrace($iLimit = 5)
--- a/js/components/breadcrumbs.js
+++ b/js/components/breadcrumbs.js
@@ -92,14 +92,13 @@ $(function()
 						if (sTitle.length == 0) {
 							sTitle = sLabel;
 						}
+						sTitle = SanitizeHtml(sTitle, false);
+						sLabel = SanitizeHtml(sLabel, false);

-						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length - 1))
-						{
+						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length - 1)) {
 							// Last entry is the current page
 							sBreadcrumbsItemHtml += '<span class="ibo-breadcrumbs--item--is-current" data-breadcrumb-entry-number="'+iEntry+'" title="'+sTitle+'">'+sIconSpec+'<span class="ibo-breadcrumbs--item-label">'+sLabel+'</span></span>';
-						}
-						else
-						{
+						} else {
 							var sSanitizedUrl = StripArchiveArgument(oEntry['url']);
 							sBreadcrumbsItemHtml += '<a class="ibo-breadcrumbs--item" data-breadcrumb-entry-number="'+iEntry+'" href="'+sSanitizedUrl+'" title="'+sTitle+'">'+sIconSpec+'<span class="ibo-breadcrumbs--item-label">'+sLabel+'</span></a>';
 						}
--- a/js/utils.js
+++ b/js/utils.js
@@ -681,19 +681,27 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {

 /**
 * @param sValue value to escape
+ * @param bReplaceAmp if false don't replace "&" (can be useful when dealing with html entities)
 * @returns {string} sanitized value, ready to insert in the DOM without XSS risk
 *
- * @since 2.6.5, 2.7.2, 2.8.0 N°3332
+ * @since 2.6.5, 2.7.2, 3.0.0 N°3332
 * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
+ * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
+ *        example the text() JQuery way) isn't safe
 */
-function SanitizeHtml(sValue) {
-	return (sValue+'')
-		.replace(/&/g, '&amp;')
+function SanitizeHtml(sValue, bReplaceAmp) {
+	var sSanitizedValue = (sValue+'')
 		.replace(/</g, '&lt;')
 		.replace(/>/g, '&gt;')
 		.replace(/"/g, '&quot;')
 		.replace(/'/g, '&#x27;')
 		.replace(/\//g, '&#x2F;');
+
+	if (bReplaceAmp) {
+		sSanitizedValue = sSanitizedValue.replace(/&/g, '&amp;');
+	}
+
+	return sSanitizedValue;
 }

 // Very simple equivalent to format: placeholders are %1$s %2$d ...