Merge remote-tracking branch 'origin/develop' into feature/backoffice-full-moon-design

# Conflicts:
#	js/components/breadcrumbs.js

js/utils.js

@@ -681,19 +681,27 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {
 
 /**
  * @param sValue value to escape
+ * @param bReplaceAmp if false don't replace "&" (can be useful when dealing with html entities)
  * @returns {string} sanitized value, ready to insert in the DOM without XSS risk
  *
- * @since 2.6.5, 2.7.2, 2.8.0 N°3332
+ * @since 2.6.5, 2.7.2, 3.0.0 N°3332
  * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
+ * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
+ *        example the text() JQuery way) isn't safe
  */
-function SanitizeHtml(sValue) {
-	return (sValue+'')
-		.replace(/&/g, '&')
+function SanitizeHtml(sValue, bReplaceAmp) {
+	var sSanitizedValue = (sValue+'')
 		.replace(/</g, '&lt;')
 		.replace(/>/g, '&gt;')
 		.replace(/"/g, '&quot;')
 		.replace(/'/g, '&#x27;')
 		.replace(/\//g, '&#x2F;');
+
+	if (bReplaceAmp) {
+		sSanitizedValue = sSanitizedValue.replace(/&/g, '&amp;');
+	}
+
+	return sSanitizedValue;
 }
 
 // Very simple equivalent to format: placeholders are %1$s %2$d ...