Element-Browser page tree has HSC'ed <span> elements
See attached screenshot.
The screenshot is taken from the element browser window of an TCE group field and shows the page tree of the element browser.
I also found an & in one page title, so maybe the HSC is done twice?
(issue imported from #M15289)
#4 Updated by Oliver Hader about 9 years ago
The attached patch fixes this issue. By analyzing the source code, we can be sure that the title for regular pages (not for files and folders) are escaped by htmlspecialchars() before. Thus, the superfluous HSC go removed. However, this opens another possibility to introduce XSS with domain names (this is currently safe due to the possible double HSC).