Encode the double quote (`"`) in StringUtil::encodeJS()

`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `"`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).

The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.

Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.

diff --git a/wcfsetup/install/files/lib/util/StringUtil.class.php b/wcfsetup/install/files/lib/util/StringUtil.class.php
index 22f718cb92d8fa2e484b7cbc1f2c3c107badace3..df7655c85fb2b9887d8b73c48d53cb83039a2330 100644 (file)
--- a/wcfsetup/install/files/lib/util/StringUtil.class.php
+++ b/wcfsetup/install/files/lib/util/StringUtil.class.php
@@ -114,6 +114,9 @@ final class StringUtil {
                // escape singe quote
                $string = str_replace("'", "\'", $string);
                
+               // escape double quote
+               $string = str_replace('"', '\"', $string);
+               
                // escape new lines
                $string = str_replace("\n", '\n', $string);