From ed0cee97f537a7ac514526ff193df68df528560e Mon Sep 17 00:00:00 2001
From: Sami Mazouz <sychocouldy@gmail.com>
Date: Fri, 18 Nov 2022 22:09:22 +0100
Subject: [PATCH] fix: evaluated page title content (#3684)

* fix: evaluated page title content
* chore: add comment
* chore: use DOMParser instead
* fix: use `innerHTML` for the actual value

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
Co-authored-by: David Wheatley <hi@davwheat.dev>
---
 framework/core/js/src/common/Application.tsx | 16 +++++++++++-----
 framework/core/views/frontend/app.blade.php  |  2 +-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/framework/core/js/src/common/Application.tsx b/framework/core/js/src/common/Application.tsx
index 5db7fa84e..8d0140fde 100644
--- a/framework/core/js/src/common/Application.tsx
+++ b/framework/core/js/src/common/Application.tsx
@@ -410,16 +410,22 @@ export default class Application {
       pageNumber: 1,
     };
 
-    const title =
+    let title =
       onHomepage || !this.title
         ? extractText(app.translator.trans('core.lib.meta_titles.without_page_title', params))
         : extractText(app.translator.trans('core.lib.meta_titles.with_page_title', params));
 
-    const tempEl = document.createElement('div');
-    tempEl.innerHTML = title;
-    const decodedTitle = tempEl.innerText;
+    title = count + title;
 
-    document.title = count + decodedTitle;
+    // We pass the title through a DOMParser to allow HTML entities
+    // to be rendered correctly, while still preventing XSS attacks
+    // from user input by using a script-disabled environment.
+    // https://github.com/flarum/framework/issues/3514
+    // https://github.com/flarum/framework/pull/3684
+    const parser = new DOMParser();
+    const safeTitle = parser.parseFromString(title, 'text/html').body.innerHTML;
+
+    document.title = safeTitle;
   }
 
   protected transformRequestOptions<ResponseType>(flarumOptions: FlarumRequestOptions<ResponseType>): InternalFlarumRequestOptions<ResponseType> {
diff --git a/framework/core/views/frontend/app.blade.php b/framework/core/views/frontend/app.blade.php
index 249aa3f99..2027af5c2 100644
--- a/framework/core/views/frontend/app.blade.php
+++ b/framework/core/views/frontend/app.blade.php
@@ -3,7 +3,7 @@
       @if ($language) lang="{{ $language }}" @endif>
     <head>
         <meta charset="utf-8">
-        <title>{!! $title !!}</title>
+        <title>{{ $title }}</title>
 
         {!! $head !!}
     </head>