N°4374 - Add sanitizer helper for front end (JS) - Rollback

2026-02-12 23:14:18 +01:00 · 2021-10-19 16:28:10 +02:00
parent ebe50b319a
commit ec8c2ca122
3 changed files with 20 additions and 12 deletions
--- a/js/components/breadcrumbs.js
+++ b/js/components/breadcrumbs.js
@@ -103,8 +103,7 @@ $(function()
                        if (oEntry['icon_type'] === 'css_classes')
                        {
 	                        sIconSpec = '<span class="ibo-breadcrumbs--item-icon"><span class="'+oEntry['icon']+'"/></span></span>';
-                        }
-                        else if (oEntry['icon'].length > 0) {
+                        } else if (oEntry['icon'].length > 0) {
 	                        // Mind the empty "alt" attribute https://www.w3.org/WAI/tutorials/images/decorative/
 	                        sIconSpec = '<span class="ibo-breadcrumbs--item-icon"><img src="'+oEntry['icon']+'" alt=""/></span>';
                        }
@@ -114,8 +113,8 @@ $(function()
 						if (sTitle.length === 0) {
 							sTitle = sLabel;
 						}
-						sTitle = CombodoSanitizer.EscapeHtml(sTitle, true);
-						sLabel = CombodoSanitizer.EscapeHtml(sLabel, true);
+						sTitle = CombodoSanitizer.EscapeHtml(sTitle, false);
+						sLabel = CombodoSanitizer.EscapeHtml(sLabel, false);

 						if ((this.options.new_entry !== null) && (iEntry === aBreadCrumb.length-1)) {
 							// Last entry is the current page
--- a/js/utils.js
+++ b/js/utils.js
@@ -1046,22 +1046,29 @@ const CombodoSanitizer = {

 	/**
 	 * @param sValue value to escape
-	 * @param bOutputInHtml if true return html ("<" become "&lt;")
-	 *                                        if false return text ("<" stay "<")
+	 * @param bReplaceAmp if false don't replace "&" (can be useful when sValue contains html entities we want to keep)
+	 *
 	 * @returns {string} escaped value, ready to insert in the DOM without XSS risk
 	 *
 	 * @since 2.6.5, 2.7.2, 3.0.0 N°3332
-	 * @since 3.0.0 N°4367 deprecate EncodeHtml and replace by this new method  (CombodoSanitizer.EscapeHtml) - params and script are not exactly the same
+	 * @since 3.0.0 N°4367 deprecate EncodeHtml and copy the method here (CombodoSanitizer.EscapeHtml)
 	 *
 	 * @see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#rule-1-html-encode-before-inserting-untrusted-data-into-html-element-content
 	 * @see https://stackoverflow.com/questions/295566/sanitize-rewrite-html-on-the-client-side/430240#430240 why inserting in the DOM (for
 	 *        example the text() JQuery way) isn't safe
 	 */
-	EscapeHtml: function (sValue, bOutputInHtml = true) {
-		if (bOutputInHtml) {
-			return $('<div>').text(sValue).html();
+	EscapeHtml: function (sValue, bReplaceAmp) {
+		if (bReplaceAmp) {
+			return $('<div/>').text(sValue).html();
 		}
-		return $('<div>').text(sValue).text();
-	//	return sValue;
+
+		let sEncodedValue = (sValue+'')
+			.replace(/</g, '&lt;')
+			.replace(/>/g, '&gt;')
+			.replace(/"/g, '&quot;')
+			.replace(/'/g, '&#x27;')
+			.replace(/\//g, '&#x2F;');
+
+		return sEncodedValue;
 	}
 }
--- a/test/VisualTest/sanitize_test.php
+++ b/test/VisualTest/sanitize_test.php
@@ -47,6 +47,8 @@ $aValues = array(
 	"",
 	"()=°²€",
 	"éèç",
+	"q<div>&egrave;</div>=hcb test",
+//	"<script>console.debug('((\'&egrave;é&');</script>q<div>&egrave;</div>=hcb test",
 );

 $aTypes = array(