Merge remote-tracking branch 'origin/support/2.7' into develop

js/breadcrumb.js

@@ -69,8 +69,8 @@ $(function()
 						if (sTitle.length == 0) {
 							sTitle = oEntry['label'];
 						}
-						sTitle = SanitizeHtml(sTitle);
+						sTitle = SanitizeHtml(sTitle, false);
-						sLabel = SanitizeHtml(sLabel);
+						sLabel = SanitizeHtml(sLabel, false);
 
 						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) {
 							// Last entry is the current page

js/utils.js

@@ -681,19 +681,27 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {
 
 /**
  * @param sValue value to escape
+ * @param bReplaceAmp if false don't replace "&" (can be useful when dealing with html entities)
  * @returns {string} sanitized value, ready to insert in the DOM without XSS risk
  *
- * @since 2.6.5, 2.7.2, 2.8.0 N°3332
+ * @since 2.6.5, 2.7.2, 3.0.0 N°3332
  * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
+ * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
+ *        example the text() JQuery way) isn't safe
  */
-function SanitizeHtml(sValue) {
+function SanitizeHtml(sValue, bReplaceAmp) {
-	return (sValue+'')
+	var sSanitizedValue = (sValue+'')
-		.replace(/&/g, '&')
 		.replace(/</g, '&lt;')
 		.replace(/>/g, '&gt;')
 		.replace(/"/g, '&quot;')
 		.replace(/'/g, '&#x27;')
 		.replace(/\//g, '&#x2F;');
+
+	if (bReplaceAmp) {
+		sSanitizedValue = sSanitizedValue.replace(/&/g, '&amp;');
+	}
+
+	return sSanitizedValue;
 }
 
 // Very simple equivalent to format: placeholders are %1$s %2$d ...