From 88fda1466eac8e38b1df0470b34cf92c405d0871 Mon Sep 17 00:00:00 2001
From: acognet <anne-catherine.cognet@combodo.com>
Date: Tue, 19 Oct 2021 11:25:07 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B04374=20-=20Add=20sanitizer=20helper=20fo?=
 =?UTF-8?q?r=20front=20end=20(JS)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 js/components/breadcrumbs.js |  4 ++--
 js/utils.js                  | 23 ++++++++---------------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/js/components/breadcrumbs.js b/js/components/breadcrumbs.js
index d2c00f410..82237c30f 100644
--- a/js/components/breadcrumbs.js
+++ b/js/components/breadcrumbs.js
@@ -114,8 +114,8 @@ $(function()
 						if (sTitle.length === 0) {
 							sTitle = sLabel;
 						}
-						sTitle = CombodoSanitizer.EscapeHtml(sTitle, false);
-						sLabel = CombodoSanitizer.EscapeHtml(sLabel, false);
+						sTitle = CombodoSanitizer.EscapeHtml(sTitle, true);
+						sLabel = CombodoSanitizer.EscapeHtml(sLabel, true);
 
 						if ((this.options.new_entry !== null) && (iEntry === aBreadCrumb.length-1)) {
 							// Last entry is the current page
diff --git a/js/utils.js b/js/utils.js
index e135e07ea..d298e2136 100644
--- a/js/utils.js
+++ b/js/utils.js
@@ -1046,29 +1046,22 @@ const CombodoSanitizer = {
 
 	/**
 	 * @param sValue value to escape
-	 * @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep)
-	 *
+	 * @param bOutputInHtml if true return html ("<" become "&lt;")
+	 *                                        if false return text ("<" stay "<")
 	 * @returns {string} escaped value, ready to insert in the DOM without XSS risk
 	 *
 	 * @since 2.6.5, 2.7.2, 3.0.0 N°3332
-	 * @since 3.0.0 N°4367 deprecate EncodeHtml and copy the method here (CombodoSanitizer.EscapeHtml)
+	 * @since 3.0.0 N°4367 deprecate EncodeHtml and replace by this new method  (CombodoSanitizer.EscapeHtml) - params and script are not exactly the same
 	 *
 	 * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
 	 * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
 	 *        example the text() JQuery way) isn't safe
 	 */
-	EscapeHtml: function (sValue, bReplaceAmp) {
-		let sEncodedValue = (sValue+'')
-			.replace(/</g, '&lt;')
-			.replace(/>/g, '&gt;')
-			.replace(/"/g, '&quot;')
-			.replace(/'/g, '&#x27;')
-			.replace(/\//g, '&#x2F;');
-
-		if (bReplaceAmp) {
-			sEncodedValue = sEncodedValue.replace(/&/g, '&amp;');
+	EscapeHtml: function (sValue, bOutputInHtml = true) {
+		if (bOutputInHtml) {
+			return $('<div>').text(sValue).html();
 		}
-
-		return sEncodedValue;
+		return $('<div>').text(sValue).text();
+	//	return sValue;
 	}
 }