fix: evaluated page title content (#3684)

* fix: evaluated page title content * chore: add comment * chore: use DOMParser instead * fix: use `innerHTML` for the actual value Signed-off-by: Sami Mazouz <sychocouldy@gmail.com> Co-authored-by: David Wheatley <hi@davwheat.dev>
2025-07-26 19:20:21 +02:00 · 2022-11-18 22:09:22 +01:00
parent b5f324a7b3
commit ed0cee97f5
2 changed files with 12 additions and 6 deletions
--- a/framework/core/js/src/common/Application.tsx
+++ b/framework/core/js/src/common/Application.tsx
@@ -410,16 +410,22 @@ export default class Application {
      pageNumber: 1,
    };
-    const title =
+    let title =
      onHomepage || !this.title
        ? extractText(app.translator.trans('core.lib.meta_titles.without_page_title', params))
        : extractText(app.translator.trans('core.lib.meta_titles.with_page_title', params));
-    const tempEl = document.createElement('div');
+    title = count + title;
    tempEl.innerHTML = title;
    const decodedTitle = tempEl.innerText;
-    document.title = count + decodedTitle;
+    // We pass the title through a DOMParser to allow HTML entities
    // to be rendered correctly, while still preventing XSS attacks
    // from user input by using a script-disabled environment.
    // https://github.com/flarum/framework/issues/3514
    // https://github.com/flarum/framework/pull/3684
    const parser = new DOMParser();
    const safeTitle = parser.parseFromString(title, 'text/html').body.innerHTML;
    document.title = safeTitle;
  }
  protected transformRequestOptions<ResponseType>(flarumOptions: FlarumRequestOptions<ResponseType>): InternalFlarumRequestOptions<ResponseType> {
--- a/framework/core/views/frontend/app.blade.php
+++ b/framework/core/views/frontend/app.blade.php
@@ -3,7 +3,7 @@
      @if ($language) lang="{{ $language }}" @endif>
    <head>
        <meta charset="utf-8">
-        <title>{!! $title !!}</title>
+        <title>{{ $title }}</title>
        {!! $head !!}
    </head>