[Bug]: Escape single quote when generating HTML popup

[Gustry]

What is the bug?

if the field has a apostrophe in the field name, the generated HTML maptip will have an error

Versions

Lizmap plugin latest

Check Lizmap plugin

• I have done the step just before in the Lizmap QGIS desktop plugin before opening this ticket. Otherwise, my ticket is not considered valid and might get closed.

[sudhanshu112233shukla]

Hi, I'd like to work on this issue. It looks like single quotes in popup content are not properly escaped, which could break the HTML structure or introduce security vulnerabilities like XSS.

A possible fix could be using htmlspecialchars() in PHP or JavaScript escaping techniques before rendering the popup content.

Would you like a specific approach (PHP or JS) for escaping? Also, are there any cases where escaping should be skipped (e.g., when using Markdown)?

Let me know your thoughts!!

[sudhanshu112233shukla]

$popupContent = "O'Reilly's Bookstore";
$escapedContent = htmlspecialchars($popupContent, ENT_QUOTES, 'UTF-8');
echo "

$escapedContent

";

( Using htmlspecialchars() we can fix PHP)

function escapeSingleQuote(str) {
return str.replace(/'/g, "'"); // Replace single quotes with HTML entity
}
let popupContent = "O'Reilly's Bookstore";
let safeContent = escapeSingleQuote(popupContent);
document.getElementById("popup").innerHTML = safeContent;

( JavaScript Fix Using .replace() )

[sudhanshu112233shukla]

can we use this fix ?