Merge remote-tracking branch 'origin/support/2.6' into support/2.7

2026-02-13 07:24:13 +01:00 · 2020-09-25 08:57:08 +02:00
parent 4e0eed6e13 45e366745d
commit e2c67dfcc4
3 changed files with 34 additions and 18 deletions
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -1344,9 +1344,8 @@ class UserRights
 			// The bug has been fixed in PHP 7.2, but in case session_regenerate_id()
 			// fails we just silently ignore the error and keep the same session id...
 			$old_error_handler = set_error_handler(array(__CLASS__, 'VoidErrorHandler'));
-			session_regenerate_id();
-			if ($old_error_handler !== null)
-			{
+			session_regenerate_id(true);
+			if ($old_error_handler !== null) {
 				set_error_handler($old_error_handler);
 			}
 		}
--- a/js/breadcrumb.js
+++ b/js/breadcrumb.js
@@ -59,24 +59,25 @@ $(function()
 					var oEntry = aBreadCrumb[iEntry];
 					if (oEntry['label'].length > 0)
 					{
-                        var sIconSpec = '';
-                        if (oEntry['icon'].length > 0)
-                        {
-                            sIconSpec = '<span class="icon"><img src="'+oEntry['icon']+'"/></span>';
-                        }
-						var sTitle = oEntry['description'];
+						var sIconSpec = '';
+						if (oEntry['icon'].length > 0) {
+							sIconSpec = '<span class="icon"><img src="'+oEntry['icon']+'"/></span>';
+						}
+
+						var sTitle = oEntry['description'],
+							sLabel = oEntry['label'];
 						if (sTitle.length == 0) {
 							sTitle = oEntry['label'];
 						}
-						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length - 1))
-						{
+						sTitle = SanitizeHtml(sTitle);
+						sLabel = SanitizeHtml(sLabel);
+
+						if ((this.options.new_entry !== null) && (iEntry == aBreadCrumb.length-1)) {
 							// Last entry is the current page
-							sBreadCrumbHtml += '<div class="breadcrumb-item breadcrumb-current" breadcrumb-entry="'+iEntry+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+oEntry['label']+'</span></div>';
-						}
-						else
-						{
+							sBreadCrumbHtml += '<div class="breadcrumb-item breadcrumb-current" breadcrumb-entry="'+iEntry+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+sLabel+'</span></div>';
+						} else {
 							var sSanitizedUrl = StripArchiveArgument(oEntry['url']);
-							sBreadCrumbHtml += '<div class="breadcrumb-item"><a class="breadcrumb-link" breadcrumb-entry="'+iEntry+'" href="'+sSanitizedUrl+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+oEntry['label']+'</span></a></div>';
+							sBreadCrumbHtml += '<div class="breadcrumb-item"><a class="breadcrumb-link" breadcrumb-entry="'+iEntry+'" href="'+sSanitizedUrl+'" title="'+sTitle+'">'+sIconSpec+'<span class="truncate">'+sLabel+'</span></a></div>';
 						}
 					}
 				}
--- a/js/utils.js
+++ b/js/utils.js
@@ -679,6 +679,23 @@ function DisplayHistory(sSelector, sFilter, iCount, iStart) {
 	);
 }

+/**
+ * @param sValue value to escape
+ * @returns {string} sanitized value, ready to insert in the DOM without XSS risk
+ *
+ * @since 2.6.5, 2.7.2, 2.8.0 N°3332
+ * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
+ */
+function SanitizeHtml(sValue) {
+	return (sValue+'')
+		.replace(/&/g, '&amp;')
+		.replace(/</g, '&lt;')
+		.replace(/>/g, '&gt;')
+		.replace(/"/g, '&quot;')
+		.replace(/'/g, '&#x27;')
+		.replace(/\//g, '&#x2F;');
+}
+
 // Very simple equivalent to format: placeholders are %1$s %2$d ...
 function Format() {
 	var args = [];
@@ -686,8 +703,7 @@ function Format() {
 	if (arguments[0] instanceof Array) {
 		str = arguments[0][0].toString();
 		args = arguments[0];
-	}
-	else {
+	} else {
 		str = arguments[0].toString();
 		if (arguments.length > 1) {
 			var t = typeof arguments[1];