From ff061367766ba458d0f7999124ec2987a91af98f Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Wed, 28 Aug 2013 09:20:03 +0200
Subject: [PATCH] OO-689: fix truncate after escape issue in dynamic tab

---
 .../core/commons/fullWebApp/BaseFullWebappController.java     | 4 ++--
 .../java/org/olat/core/commons/fullWebApp/_content/nav.html   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
index 5031dd8ec73..751187faf96 100644
--- a/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
+++ b/src/main/java/org/olat/core/commons/fullWebApp/BaseFullWebappController.java
@@ -855,7 +855,7 @@ public class BaseFullWebappController extends BasicController implements Generic
 			getWindowControl().setError(translate("warn.tabsfull"));
 			return null;
 		}
-		DTabImpl dt = new DTabImpl(ores, repoOres, StringHelper.escapeHtml(title), getWindowControl());
+		DTabImpl dt = new DTabImpl(ores, repoOres, title, getWindowControl());
 		return dt;
 	}
 
@@ -891,7 +891,7 @@ public class BaseFullWebappController extends BasicController implements Generic
 			dtabs.add(dt);
 			dtabsLinkNames.add(Integer.toString(dtabCreateCounter));
 			Link link = LinkFactory.createCustomLink("a" + dtabCreateCounter, "a" + dtabCreateCounter, "", Link.NONTRANSLATED, navVc, this);
-			link.setCustomDisplayText(((DTabImpl) dt).getNavElement().getTitle());
+			link.setCustomDisplayText(StringHelper.escapeHtml(dt.getNavElement().getTitle()));
 			link.setTitle(dt.getTitle());
 			link.setUserObject(dt);
 			// Set accessibility access key using the 's' key. You can loop through all opened tabs by
diff --git a/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html b/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
index 1cc280a37cd..96eff9ece6e 100644
--- a/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
+++ b/src/main/java/org/olat/core/commons/fullWebApp/_content/nav.html
@@ -47,7 +47,7 @@
 #if($pageTitle)
 	<script type="text/javascript">
 	/* <![CDATA[ */ 
-		document.title = "$r.translate("page.appname") - $r.escapeDoubleQuotes($pageTitle)";
+		document.title = "$r.translate("page.appname") - $r.escapeDoubleQuotes($r.xssScan($pageTitle))";
 	/* ]]> */
 	</script>
 #end
-- 
GitLab