From 0ee8130667035c5211206c018d1f1b17b2f74b63 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Tue, 4 Jan 2022 11:50:50 +0100
Subject: [PATCH] Encode the double quote (`"`) in StringUtil::encodeJS()

`encodeJSON()` is currently broken, because while it HTML-encodes the double
quote, it does not actually add the backslash in front of it. Depending on
whether the HTML entity is interpreted by the browser in that specific location
or not, this either results in an incorrect string (with a literal `&quot;`
instead of `"`) or in a syntax error (because the `"` ends the string
prematurely).

The latter might even allow for the injection of JavaScript, if `encodeJSON` is
used in a `<script>` tag that is not just LD-JSON metadata.

Fix this issue by escaping the double quote in `encodeJS` which is used
internally by `encodeJSON`. This should not cause issues, as an escaped double
quote is valid syntax within a JavaScript string.
---
 wcfsetup/install/files/lib/util/StringUtil.class.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wcfsetup/install/files/lib/util/StringUtil.class.php b/wcfsetup/install/files/lib/util/StringUtil.class.php
index 22f718cb92..df7655c85f 100644
--- a/wcfsetup/install/files/lib/util/StringUtil.class.php
+++ b/wcfsetup/install/files/lib/util/StringUtil.class.php
@@ -114,6 +114,9 @@ final class StringUtil {
 		// escape singe quote
 		$string = str_replace("'", "\'", $string);
 		
+		// escape double quote
+		$string = str_replace('"', '\"', $string);
+		
 		// escape new lines
 		$string = str_replace("\n", '\n', $string);
 		
-- 
2.20.1