[Bug]: Name in Theme: tick/quote is incorrectly escaped to HTML code

[andypfau]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

When you enter a name (under "Theming") that contains a single quote, it is escaped to a HTML sequence, instead of being shown as the proper character.

Steps to reproduce

• Log in as admin, go Administration Settings -> Theming
• Under "Name", enter a string that contains the ' character (i.e. the C-style char quotes), e.g. "Admin's Nextcloud"
• Log out (to see Nextcloud's welcome screen****
• On the login scree (above the name/password textboxes), it says "Log in to Admin & # 3 9 ; s Nextcloud" (i.e. the HTML escape code, "& # 3 9 ;"; I had to add those spaces to prevent GitHub from escaping the string here as well... it actually appears on Nextcloud without the spaces, of course)

Expected behavior

• It should say "Log in to Admin's Nextcloud"

Installation method

Community Web installer on a VPS or web space

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

onfig:list system
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.1.1",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "mail_smtptimeout": 60,
        "app.mail.transport": "php-mail",
        "app.mail.verify-tls-peer": false,
        "debug": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "DE",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "app_install_overwrite": [
            "drawio"
        ],
        "mail_smtpstreamoptions": {
            "ssl": {
                "security_level": 1
            }
        },
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - admin_audit: 1.15.0
  - calendar: 4.1.0
  - cloud_federation_api: 1.8.0
  - comments: 1.15.0
  - contacts: 5.0.1
  - contactsinteraction: 1.6.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - drawio: 1.0.3
  - encryption: 2.13.0
  - federatedfilesharing: 1.15.0
  - federation: 1.15.0
  - files: 1.20.1
  - files_automatedtagging: 1.15.0
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - files_trashbin: 1.15.0
  - files_versions: 1.18.0
  - firstrunwizard: 2.14.0
  - forms: 3.0.1
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - mail: 2.1.0
  - maps: 0.2.1
  - metadata: 0.17.0
  - nextcloud_announcements: 1.14.0
  - notes: 4.6.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - phonetrack: 0.7.2
  - photos: 2.0.0
  - polls: 4.0.0
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - recommendations: 1.4.0
  - related_resources: 1.0.3
  - richdocuments: 7.0.1
  - richdocumentscode: 22.5.702
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - spreed: 15.0.1
  - support: 1.8.0
  - survey_client: 1.13.0
  - suspicious_login: 4.3.0
  - systemtags: 1.15.0
  - tasks: 0.14.5
  - text: 3.6.0
  - theming: 2.0.1
  - theming_customcss: 1.12.0
  - twofactor_backupcodes: 1.14.0
  - twofactor_totp: 7.0.0
  - updatenotification: 1.15.0
  - viewer: 1.9.0
  - weather_status: 1.5.0
  - workflowengine: 2.7.0
Disabled:
  - apporder: 0.15.0
  - bruteforcesettings
  - circles: 22.1.1
  - extract: 1.3.5
  - files_external
  - files_markdown: 2.3.6
  - files_mindmap: 0.0.26
  - files_texteditor: 2.14.0
  - fulltextsearch: 24.0.0
  - user_ldap
  - user_status: 1.1.1

Nextcloud Signing status

It says page not found, sorry.

Nextcloud Logs

It does not create any log entries when I change that string.

Additional info

• Version: Nextcloud 25.0.1
• Apparently this happens only with this character, and the ampersand (&), and some others, (probably some other as well), e.g. "Admin´s Nextcloud" (angled tick, not straight tick) is displayed properly
• The issue started after updating to 25.0.0, and persists in 25.0.1
• When I check the name in the "Theming" settings, it still shows the proper ' character. It is only escaped on the login screen (maybe other sections as well, don't know)

[andypfau]

Updated the description text - Github escaped the HTML code I posted, so the description didn't make any sense originally, sorry.

[andypfau]

I updated to Nextcloud 25.0.2, and the quotes are now properly escaped on the start page. However, just now I noticed that there is at least one place where it still is incorrectly escaped, which is the Email editor, when you click on on the meatball menu: