diff --git a/js/breadcrumb.js b/js/breadcrumb.js index ab0941d869..09b0a6d81a 100644 --- a/js/breadcrumb.js +++ b/js/breadcrumb.js @@ -69,8 +69,8 @@ $(function() if (sTitle.length == 0) { sTitle = oEntry['label']; } - sTitle = SanitizeHtml(sTitle); - sLabel = SanitizeHtml(sLabel); + sTitle = SanitizeHtml(sTitle, false); + sLabel = SanitizeHtml(sLabel, false); if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) { // Last entry is the current page diff --git a/js/utils.js b/js/utils.js index 58fc930b78..df08ad4ae6 100644 --- a/js/utils.js +++ b/js/utils.js @@ -681,19 +681,27 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) { /** * @param sValue value to escape + * @param bReplaceAmp if false don't replace "&" (can be useful when dealing with html entities) * @returns {string} sanitized value, ready to insert in the DOM without XSS risk * - * @since 2.6.5, 2.7.2, 2.8.0 N°3332 + * @since 2.6.5, 2.7.2, 3.0.0 N°3332 * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content + * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for + * example the text() JQuery way) isn't safe */ -function SanitizeHtml(sValue) { - return (sValue+'') - .replace(/&/g, '&') +function SanitizeHtml(sValue, bReplaceAmp) { + var sSanitizedValue = (sValue+'') .replace(//g, '>') .replace(/"/g, '"') .replace(/'/g, ''') .replace(/\//g, '/'); + + if (bReplaceAmp) { + sSanitizedValue = sSanitizedValue.replace(/&/g, '&'); + } + + return sSanitizedValue; } // Very simple equivalent to format: placeholders are %1$s %2$d ...