From 06ce52c20f208b0bbf24c6480d60332c9dd19428 Mon Sep 17 00:00:00 2001
From: nivcoo <nico64800@live.fr>
Date: Tue, 8 Mar 2022 12:22:29 +0100
Subject: [PATCH] improv. fix xss with navbar

---
 app/View/Navbar/admin_add.ctp  | 4 ++--
 app/View/Navbar/admin_edit.ctp | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/View/Navbar/admin_add.ctp b/app/View/Navbar/admin_add.ctp
index 65f3eb01..f7d72c1b 100755
--- a/app/View/Navbar/admin_add.ctp
+++ b/app/View/Navbar/admin_add.ctp
@@ -224,9 +224,9 @@
             url = {};
             for (var key in test = names) {
                 var l = test[key].split('=');
-                l = l[1];
+                l = decodeURIComponent(l[1]);
                 var p = urls[key].split('=');
-                p = p[1];
+                p = decodeURIComponent(p[1]);
                 url[l] = p;
             }
         }
diff --git a/app/View/Navbar/admin_edit.ctp b/app/View/Navbar/admin_edit.ctp
index 8f637061..6775f83c 100755
--- a/app/View/Navbar/admin_edit.ctp
+++ b/app/View/Navbar/admin_edit.ctp
@@ -96,12 +96,12 @@
                                         <div class="form-group">
                                             <label><?= $Lang->get('NAVBAR__LINK_NAME') ?></label>
                                             <input type="text" class="form-control name_of_nav"
-                                                   value="<?= urldecode($name) ?>" name="name_of_nav">
+                                                   value="<?= $name ?>" name="name_of_nav">
                                         </div>
                                         <div class="form-group">
                                             <label><?= $Lang->get('URL') ?></label>
                                             <input type="text" class="form-control url_of_nav"
-                                                   value="<?= urldecode($url) ?>"
+                                                   value="<?= $url ?>"
                                                    placeholder="<?= $Lang->get('NAVBAR__CUSTOM_URL') ?>" name="url">
                                         </div>
                                         <a href="#"
@@ -238,9 +238,9 @@
             url = {};
             for (var key in test = names) {
                 var l = test[key].split('=');
-                l = l[1];
+                l = decodeURIComponent(l[1]);
                 var p = urls[key].split('=');
-                p = p[1];
+                p = decodeURIComponent(p[1]);
                 url[l] = p;
             }
         }