sanitize entity title attributes

src/extensions/Zikula/ContentModule/Helper/Base/AbstractEntityDisplayHelper.php

@@ -78,7 +78,7 @@ protected function formatPage(PageEntity $entity): string
         return $this->translator->trans(
             '%title%',
             [
-                '%title%' => $entity->getTitle(),
+                '%title%' => htmlspecialchars($entity->getTitle()),
             ],
             'page'
         );
@@ -92,7 +92,7 @@ protected function formatContentItem(ContentItemEntity $entity): string
         return $this->translator->trans(
             '%owningType%',
             [
-                '%owningType%' => $entity->getOwningType(),
+                '%owningType%' => htmlspecialchars($entity->getOwningType()),
             ],
             'contentItem'
         );

templates/bundles/ZikulaContentModule/Page/view.html.twig

@@ -101,7 +101,7 @@
                         {{ page.workflowState|zikulacontentmodule_objectState }}
                     </td>
                     {% endif %}<td headers="hTitle" class="text-left">
-                        <a href="{{ path('zikulacontentmodule_page_' ~ routeArea ~ 'display', {'slug': page.slug}) }}" title="{{ 'View detail page'|trans({}, 'messages')|e('html_attr') }}">{{ page.title|notifyFilters('zikulacontentmodule.filterhook.pages')|safeHtml }}</a>
+                        <a href="{{ path('zikulacontentmodule_page_' ~ routeArea ~ 'display', {'slug': page.slug}) }}" title="{{ 'View detail page'|trans({}, 'messages')|e('html_attr') }}">{{ page.title|notifyFilters('zikulacontentmodule.filterhook.pages')|safeHtml|e }}</a>
                     </td>
                     {% if countPageViews %}
                         <td headers="hViews" class="text-right">