PHRAS-2276 port to 4.1 template escape (#2819)

* fix escape lightbox

* fix escape in admin connected-user

* fix prod escaping

* fix escaping in thesaurus

* escape when rendered

* escape in controller

lib/Alchemy/Phrasea/Controller/Prod/RecordController.php

@@ -90,35 +90,44 @@ class RecordController extends Controller
         }
         $recordCaptions["technicalInfo"] = $record->getPositionFromTechnicalInfos();
 
+        //  escape record title before rendering
+        $recordTitle = explode("</span>", $record->get_title());
+        if (count($recordTitle) >1) {
+            $recordTitle[1] = htmlspecialchars($recordTitle[1]);
+            $recordTitle = implode("</span>", $recordTitle);
+        } else {
+            $recordTitle = htmlspecialchars($record->get_title());
+        }
+
         return $this->app->json([
-            "desc"          => $this->render('prod/preview/caption.html.twig', [
+            "desc"            => $this->render('prod/preview/caption.html.twig', [
                 'record'        => $record,
                 'highlight'     => $query,
                 'searchEngine'  => $searchEngine,
                 'searchOptions' => $options,
             ]),
-            "recordCaptions"=> $recordCaptions,
-            "html_preview"  => $this->render('common/preview.html.twig', [
+            "recordCaptions"  => $recordCaptions,
+            "html_preview"    => $this->render('common/preview.html.twig', [
                 'record'        => $record
             ]),
-            "others"        => $this->render('prod/preview/appears_in.html.twig', [
+            "others"          => $this->render('prod/preview/appears_in.html.twig', [
                 'parents'       => $record->get_grouping_parents(),
                 'baskets'       => $record->get_container_baskets($this->getEntityManager(), $this->getAuthenticatedUser()),
             ]),
-            "current"       => $train,
-            "record"        => $currentRecord,
-            "history"       => $this->render('prod/preview/short_history.html.twig', [
+            "current"         => $train,
+            "record"          => $currentRecord,
+            "history"         => $this->render('prod/preview/short_history.html.twig', [
                 'record'        => $record,
             ]),
-            "popularity"    => $this->render('prod/preview/popularity.html.twig', [
+            "popularity"      => $this->render('prod/preview/popularity.html.twig', [
                 'record'        => $record,
             ]),
-            "tools"         => $this->render('prod/preview/tools.html.twig', [
+            "tools"           => $this->render('prod/preview/tools.html.twig', [
                 'record'        => $record,
             ]),
-            "pos"           => $record->getNumber(),
-            "title"         => $record->get_title(),
-            "databox_name" => $record->getDatabox()->get_dbname(),
+            "pos"             => $record->getNumber(),
+            "title"           => $recordTitle,
+            "databox_name"    => $record->getDatabox()->get_dbname(),
             "collection_name" => $record->getCollection()->get_name(),
             "collection_logo" => $record->getCollection()->getLogo($record->getBaseId(), $this->app),
         ]);

lib/Alchemy/Phrasea/Controller/Thesaurus/ThesaurusController.php

@@ -806,7 +806,7 @@ class ThesaurusController extends Controller
                         if (!$t) {
                             $t = "...";
                         }
-                        $fullBranch = " / " . $t . $fullBranch;
+                        $fullBranch = " / " . htmlspecialchars($t) . $fullBranch;
                     }
                 }
                 $nodes = $xpathstruct->query("/record/description/*");
@@ -1159,7 +1159,7 @@ class ThesaurusController extends Controller
             '1',
             null
         );
-        $fullpath = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
+        $fullpathHtml = $dom->getElementsByTagName("fullpath_html")->item(0)->firstChild->nodeValue;
         $hits = $dom->getElementsByTagName("allhits")->item(0)->firstChild->nodeValue;
 
         $languages = $synonyms = [];
@@ -1180,6 +1180,16 @@ class ThesaurusController extends Controller
             $languages[$lng_code[0]] = $language;
         }
 
+        //  Escape path  between span tag in fullpath_html
+        preg_match_all("'(<[^><]*>)(.*?)(<[^><]*>)'", $fullpathHtml, $matches, PREG_SET_ORDER);
+
+        $safeFullpath = '';
+        foreach($matches as $match) {
+            unset($match[0]);  // full match result not used
+            $match[2] = htmlspecialchars($match[2]);
+            $safeFullpath .= implode('', $match);
+        }
+
         return $this->render('thesaurus/properties.html.twig', [
             'typ' => $request->get('typ'),
             'bid' => $request->get('bid'),
@@ -1187,7 +1197,7 @@ class ThesaurusController extends Controller
             'id' => $request->get('id'),
             'dlg' => $request->get('dlg'),
             'languages' => $languages,
-            'fullpath' => $fullpath,
+            'fullpath' => $safeFullpath,
             'hits' => $hits,
             'synonyms' => $synonyms,
         ]);