Fix stored XSS security issue: add semicolon to HTML entity so it can…

… be decoded

CHANGES.md

@@ -69,6 +69,7 @@ Changes in 9.0
 - Fix Improper Access Control security issue: add random string to photo file name in TipMessage.fnc.php, Transcripts.fnc.php, PrintClassPictures.php, Student.php, User.php & General_Info.inc.php, thanks to @dungtuanha
 - Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @khanhchauminh
 - Fix stored XSS security issue: remove inline JS from URL in PreparePHP_SELF.fnc.php, thanks to @intrapus
+- Fix stored XSS security issue: add semicolon to HTML entity so it can be decoded in PreparePHP_SELF.fnc.php, thanks to @intrapus
 - Accessibility: add hidden input label using .a11y-hidden class in ReportCardComments.php, StudentFields.php & Grades/TeacherCompletion.php
 - Accessibility: add select label in Eligibility/TeacherCompletion.php, Student.php, StudentList.php, MassDrops.php & MassSchedule.php
 - Two Lists on same page: export only first, no search in Eligibility/Student.php

functions/PreparePHP_SELF.fnc.php

@@ -173,8 +173,25 @@ function RedirectURL( $remove )
  */
 function URLEscape( $string )
 {
+	$fixed_entities_string = preg_replace_callback(
+		// Match both decimal & hex code (although hex codes can contain a-f letters).
+		// Should be enough as the alphabet hex codes only have numbers.
+		"/(&#x?[0-9]+;?)/i",
+		function( $match ) {
+			if ( mb_substr( $match[1], -1 ) !== ';' )
+			{
+				// Fix stored XSS security issue: add semicolon to HTML entity so it can be decoded.
+				// @link https://www.php.net/manual/en/function.html-entity-decode.php#104617
+				$match[1] .= ';';
+			}
+
+			return $match[1];
+		},
+		$string
+	);
+
 	// Fix stored XSS security issue: decode HTML entities from URL.
-	$decoded_string = html_entity_decode( (string) $string );
+	$decoded_string = html_entity_decode( (string) $fixed_entities_string );
 
 	$remove = [
 		// Fix stored XSS security issue: remove inline JS from URL.