Merge pull request from GHSA-v24p-7p4j-qvvf

* Encode file names in tooltips and titles

* Allow HTML in help texts

* Remove ampersands in sanitizeFileName()

* Revert "Remove ampersands in sanitizeFileName()"

This reverts commit df7a6d9e7a6122d78380e38e4bb06ff7b823cc71.

* Fix all modals

* Rebuild the assets

---------

Co-authored-by: Leo Feyer <1192057+leofeyer@users.noreply.github.com>

core-bundle/assets/scripts/core.js

@@ -558,7 +558,7 @@ window.Backend =
 			'onHide': function() { document.body.setStyle('overflow', 'auto'); }
 		});
 		M.show({
-			'title': opt.title,
+			'title': opt.title?.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'),
 			'contents': '<img src="' + opt.url + '" alt="">'
 		});
 	},
@@ -583,7 +583,7 @@ window.Backend =
 			'onHide': function() { document.body.setStyle('overflow', 'auto'); }
 		});
 		M.show({
-			'title': opt.title,
+			'title': opt.title?.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'),
 			'contents': '<iframe src="' + opt.url + '" width="100%" height="' + opt.height + '" frameborder="0"></iframe>',
 			'model': 'modal'
 		});
@@ -648,7 +648,7 @@ window.Backend =
 			this.hide();
 		});
 		M.show({
-			'title': opt.title,
+			'title': opt.title?.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;'),
 			'contents': '<iframe src="' + opt.url + '" name="simple-modal-iframe" width="100%" height="' + opt.height + '" frameborder="0"></iframe>',
 			'model': 'modal'
 		});

core-bundle/assets/scripts/tips.js

@@ -22,7 +22,8 @@
             } else {
                 text = el.getAttribute('title');
                 el.setAttribute('data-original-title', text);
-                el.removeAttribute('title')
+                el.removeAttribute('title');
+                text = text?.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/"/g, '&quot;').replace(/'/g, '&apos;');
             }
 
             if (!text) {

core-bundle/contao/drivers/DC_Folder.php

@@ -2715,7 +2715,7 @@ protected function generateTree($path, $intMargin, $mount=false, $blnProtected=t
 			$folderAlt = $protected ? $GLOBALS['TL_LANG']['MSC']['folderCP'] : $GLOBALS['TL_LANG']['MSC']['folderC'];
 
 			// Add the current folder
-			$strFolderNameEncoded = StringUtil::convertEncoding(StringUtil::specialchars(basename($currentFolder)), System::getContainer()->getParameter('kernel.charset'));
+			$strFolderNameEncoded = StringUtil::convertEncoding(StringUtil::specialchars(basename($currentFolder), false, true), System::getContainer()->getParameter('kernel.charset'));
 			$strFolderLabel = '<strong>' . $strFolderNameEncoded . '</strong>';
 
 			if ($this->isMounted($currentFolder))
@@ -2837,7 +2837,7 @@ protected function generateTree($path, $intMargin, $mount=false, $blnProtected=t
 				}
 			}
 
-			$strFileNameEncoded = StringUtil::convertEncoding(StringUtil::specialchars(basename($currentFile)), System::getContainer()->getParameter('kernel.charset'));
+			$strFileNameEncoded = StringUtil::convertEncoding(StringUtil::specialchars(basename($currentFile), false, true), System::getContainer()->getParameter('kernel.charset'));
 			$iconAlt = sprintf($GLOBALS['TL_LANG']['MSC']['typeOfFile'], strtoupper($objFile->extension));
 
 			// No popup links for protected files and templates (see #700)

core-bundle/public/entrypoints.json

@@ -2,7 +2,7 @@
   "entrypoints": {
     "backend": {
       "js": [
-        "/bundles/contaocore/backend.1d61970f.js"
+        "/bundles/contaocore/backend.7d12ce36.js"
       ]
     }
   }

core-bundle/public/manifest.json

@@ -1,4 +1,4 @@
 {
-  "backend.js": "/bundles/contaocore/backend.1d61970f.js",
-  "backend.1d61970f.js.map": "/bundles/contaocore/backend.1d61970f.js.map"
+  "backend.js": "/bundles/contaocore/backend.7d12ce36.js",
+  "backend.7d12ce36.js.map": "/bundles/contaocore/backend.7d12ce36.js.map"
 }