From 54726523cdbd9cbcbb541d97b8567ac6a6be6252 Mon Sep 17 00:00:00 2001
From: BlankEclair <blankeclair@disroot.org>
Date: Thu, 12 Dec 2024 12:24:50 +1100
Subject: [PATCH] SECURITY: Fix XSS when outputting display title

Bug: T382043
---
 BreadCrumbs2.class.php | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/BreadCrumbs2.class.php b/BreadCrumbs2.class.php
index 3dad7f0..c313f1b 100644
--- a/BreadCrumbs2.class.php
+++ b/BreadCrumbs2.class.php
@@ -107,7 +107,7 @@ class BreadCrumbs2 {
 		$this->crumbPath = $crumbs[0];
 
 		global $wgAllowDisplayTitle;
-		$htmlTitle = $title->getText();
+		$htmlTitle = htmlspecialchars( $title->getText() );
 		if ( $wgAllowDisplayTitle ) {
 			$services = MediaWikiServices::getInstance();
 			if ( method_exists( $services, 'getPageProps' ) ) {
@@ -116,12 +116,14 @@ class BreadCrumbs2 {
 			} else {
 				$pageProps = PageProps::getInstance();
 			}
-			$properties = $pageProps->getProperties( $title, [ 'displaytitle' ] )[ $title->getArticleID() ] ?? [];
-			if (
-				!empty( $properties ) &&
-				trim( str_replace( '&#160;', '', strip_tags( $properties[ 'displaytitle' ] ) ) ) !== ''
-			) {
-				$htmlTitle = htmlspecialchars_decode( $properties[ 'displaytitle' ] );
+
+			$displayTitle = $pageProps->getProperties( $title, 'displaytitle' )[ $title->getArticleID() ] ?? '';
+			$plainTextDisplayTitle = trim( Sanitizer::stripAllTags( $displayTitle ) );
+
+			// There is no need to check $wgRestrictDisplayTitle, as core already
+			// does that prior to setting the page property
+			if ( $plainTextDisplayTitle !== '' ) {
+				$htmlTitle = $displayTitle;
 			}
 		}
 		# add current title
-- 
2.47.1