From 6833f95a79bdea5027aff23d656c0a9e1726fcaa Mon Sep 17 00:00:00 2001
From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Date: Wed, 8 Jan 2025 16:16:41 +0100
Subject: [PATCH] fix: update function to take better care of quotes as some of
 them are okay

---
 .../localization.controller.test.ts                |  2 +-
 .../utils/sanitize/escape-html.function.test.ts    | 10 +---------
 .../core/utils/sanitize/escape-html.function.ts    | 14 ++++++++++++--
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/src/libs/localization-api/localization.controller.test.ts b/src/libs/localization-api/localization.controller.test.ts
index fa48a795f6..233bef12c9 100644
--- a/src/libs/localization-api/localization.controller.test.ts
+++ b/src/libs/localization-api/localization.controller.test.ts
@@ -177,7 +177,7 @@ describe('UmbLocalizeController', () => {
 
 		it('should encode HTML entities', () => {
 			expect(controller.term('withInlineToken', 'Hello', '<script>alert("XSS")</script>'), 'XSS detected').to.equal(
-				'Hello &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;',
+				'Hello &lt;script&gt;alert(&#34;XSS&#34;)&lt;/script&gt;',
 			);
 		});
 
diff --git a/src/packages/core/utils/sanitize/escape-html.function.test.ts b/src/packages/core/utils/sanitize/escape-html.function.test.ts
index 555045300f..24e8cf5014 100644
--- a/src/packages/core/utils/sanitize/escape-html.function.test.ts
+++ b/src/packages/core/utils/sanitize/escape-html.function.test.ts
@@ -3,14 +3,6 @@ import { escapeHTML } from './escape-html.function.js';
 
 describe('escapeHtml', () => {
 	it('should escape html', () => {
-		expect(escapeHTML('<script>alert("XSS")</script>')).to.equal('&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;');
-	});
-
-	it('should escape html with single quotes', () => {
-		expect(escapeHTML("<script>alert('XSS')</script>")).to.equal('&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;');
-	});
-
-	it('should escape html with mixed quotes', () => {
-		expect(escapeHTML("<script>alert('XSS')</script>")).to.equal('&lt;script&gt;alert(&#39;XSS&#39;)&lt;/script&gt;');
+		expect(escapeHTML('<script>alert("XSS")</script>')).to.equal('&lt;script&gt;alert(&#34;XSS&#34;)&lt;/script&gt;');
 	});
 });
diff --git a/src/packages/core/utils/sanitize/escape-html.function.ts b/src/packages/core/utils/sanitize/escape-html.function.ts
index 4ff14aac25..ee84b1ee86 100644
--- a/src/packages/core/utils/sanitize/escape-html.function.ts
+++ b/src/packages/core/utils/sanitize/escape-html.function.ts
@@ -1,3 +1,7 @@
+const SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g;
+// Match everything outside of normal chars and " (quote character)
+const NON_ALPHANUMERIC_REGEXP = /([^#-~| |!])/g;
+
 /**
  * Escapes HTML entities in a string.
  * @example escapeHTML('<script>alert("XSS")</script>'), // "&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;"
@@ -12,8 +16,14 @@ export function escapeHTML(html: unknown): string {
 	return html
 		.toString()
 		.replace(/&/g, '&amp;')
-		.replace(/"/g, '&quot;')
-		.replace(/'/g, '&#39;')
+		.replace(SURROGATE_PAIR_REGEXP, function (value) {
+			const hi = value.charCodeAt(0);
+			const low = value.charCodeAt(1);
+			return '&#' + ((hi - 0xd800) * 0x400 + (low - 0xdc00) + 0x10000) + ';';
+		})
+		.replace(NON_ALPHANUMERIC_REGEXP, function (value) {
+			return '&#' + value.charCodeAt(0) + ';';
+		})
 		.replace(/</g, '&lt;')
 		.replace(/>/g, '&gt;');
 }