From 9725e93ee1ba03578a762136b4bf5f0f3ff5f54f Mon Sep 17 00:00:00 2001
From: Sohom <sohomdatta1+git@gmail.com>
Date: Thu, 7 Sep 2023 01:08:18 +0530
Subject: [PATCH] Escape formatNumNoSeperator( $number ) output

The current implementation give Security-XSS errors
due to the posibility of including raw HTML, preemptively
sanitize the output returned by formatNumNoSeperator( $number )
to guard against any potential XSS issues.

Change-Id: I7bbcc84a783c200eb99f4c98abe200853f06aa08
---
 includes/Pagination/PageNumber.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/includes/Pagination/PageNumber.php b/includes/Pagination/PageNumber.php
index efdb126f..a22c084e 100644
--- a/includes/Pagination/PageNumber.php
+++ b/includes/Pagination/PageNumber.php
@@ -5,6 +5,7 @@ namespace ProofreadPage\Pagination;
 use Language;
 use NumberFormatter;
 use ProofreadPage\Pagination\CustomNumberFormatters\BengaliCurrencyFormat;
+use Sanitizer;
 
 /**
  * @license GPL-2.0-or-later
@@ -84,9 +85,9 @@ class PageNumber {
 		$number = (int)$this->number;
 		switch ( $this->displayMode ) {
 			case self::DISPLAY_NORMAL:
-				return $language->formatNumNoSeparators( $number );
+				return Sanitizer::escapeHtmlAllowEntities( $language->formatNumNoSeparators( $number ) );
 			case self::DISPLAY_FOLIO:
-				return $language->formatNumNoSeparators( $number ) .
+				return Sanitizer::escapeHtmlAllowEntities( $language->formatNumNoSeparators( $number ) ) .
 					$this->formatRectoVerso();
 			case self::DISPLAY_FOLIOHIGHROMAN:
 				return self::formatICU( $language, 'roman', $number ) .
@@ -120,9 +121,9 @@ class PageNumber {
 		$number = (int)$this->number;
 		switch ( $this->displayMode ) {
 			case self::DISPLAY_NORMAL:
-				return $language->formatNumNoSeparators( $number );
+				return Sanitizer::escapeHtmlAllowEntities( $language->formatNumNoSeparators( $number ) );
 			case self::DISPLAY_FOLIO:
-				return $language->formatNumNoSeparators( $number ) .
+				return Sanitizer::escapeHtmlAllowEntities( $language->formatNumNoSeparators( $number ) ) .
 					$this->rawRectoVerso();
 			case self::DISPLAY_FOLIOHIGHROMAN:
 				return self::formatICU( $language, 'roman', $number ) .
-- 
2.42.0