From b888fa10328219d4eb5bec3fd0c69fa859a8c43b Mon Sep 17 00:00:00 2001
From: supahgreg <supahgreg@users.noreply.github.com>
Date: Fri, 10 Oct 2025 22:39:31 +0000
Subject: [PATCH] Fix a potential double-unescaping issue, tweak
 'App.escapeHtml()'.

---
 js/App.js      | 40 ++++++++++++++++++++++++++++------------
 js/FeedTree.js | 11 +----------
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/js/App.js b/js/App.js
index 370391f86..5df313491 100644
--- a/js/App.js
+++ b/js/App.js
@@ -411,19 +411,35 @@ const App = {
    },
    // htmlspecialchars()-alike for headlines data-content attribute
    escapeHtml: function(p) {
-      if (typeof p == "string") {
-         const map = {
-            '&': '&amp;',
-            '<': '&lt;',
-            '>': '&gt;',
-            '"': '&quot;',
-            "'": '&#039;'
-         };
-
-         return p.replace(/[&<>"']/g, function(m) { return map[m]; });
-      } else {
+      if (typeof p !== 'string')
          return p;
-      }
+
+      const map = {
+         '&': '&amp;',
+         '<': '&lt;',
+         '>': '&gt;',
+         '"': '&quot;',
+         "'": '&#x27;',
+         '/': '&#x2F;',
+      };
+
+      return p.replace(/[&<>"'\/]/g, m => map[m]);
+   },
+   unescapeHtml: function(p) {
+      if (typeof p !== 'string' || p.indexOf('&') === -1)
+         return p;
+
+      return p.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#039|#47);/g, function(entity) {
+         switch (entity) {
+            case '&amp;': return '&';
+            case '&lt;': return '<';
+            case '&gt;': return '>';
+            case '&quot;': return '"';
+            case '&#x27;': case '&#039;': return "'";
+            case '&#x2F;': case '&#47;': return '/';
+            default: return entity;
+         }
+      });
    },
    // http://stackoverflow.com/questions/6251937/how-to-get-selecteduser-highlighted-text-in-contenteditable-element-and-replac
    getSelectedText: function() {
diff --git a/js/FeedTree.js b/js/FeedTree.js
index 67d2a8035..683205579 100755
--- a/js/FeedTree.js
+++ b/js/FeedTree.js
@@ -237,16 +237,7 @@ define(["dojo/_base/declare", "dojo/dom-construct", "dojo/_base/array", "dojo/co
 			return rc;
 		},
 		getLabel: function(item) {
-			let name = String(item.name);
-
-			/* Horrible */
-			name = name.replace(/&quot;/g, "\"");
-			name = name.replace(/&amp;/g, "&");
-			name = name.replace(/&mdash;/g, "-");
-			name = name.replace(/&lt;/g, "<");
-			name = name.replace(/&gt;/g, ">");
-
-			return name;
+			return App.unescapeHtml(item.name);
 		},
 		expandParentNodes: function(feed, is_cat, list) {
 			try {