Page renderer: Automatically run htmlentities() on all titles

core/02-environment.php

@@ -14,6 +14,8 @@ $env = new stdClass();
 $env->action = $settings->defaultaction;
 /** The page name requested by the remote client. @var string */
 $env->page = "";
+/** The page name, but run through htmlentities(), thus making it safe to display in an output document. */
+$env->page_safe = "";
 /** The filename that the page is stored in. @var string */
 $env->page_filename = "";
 /** Whether we are looking at a history revision or not. @var boolean */

core/40-page-renderer.php

@@ -205,7 +205,7 @@ class page_renderer
 
 			"{content}" => $content,
 			"{extra}" => "",
-			"{title}" => $title,
+			"{title}" => htmlentities($title),
 		];
 
 		// Pass the parts through the part processors

core/45-environment-deferred.php

@@ -6,6 +6,7 @@
 
 /// Finish setting up the environment object ///
 $env->page = $_GET["page"] ?? $_POST["page"];
+$env->page_safe = htmlentities($env->page);
 if(isset($_GET["revision"]) and is_numeric($_GET["revision"]))
 {
 	// We have a revision number!

modules/page-edit.php

@@ -380,8 +380,10 @@ window.addEventListener("load", function(event) {
 		add_action("save", function() {
 			global $pageindex, $settings, $env, $save_preprocessors, $paths;
 			// Update the page name in the main environment, since the page name may be submitted via the POST form
-			if(isset($_POST["page"]))
+			if(isset($_POST["page"])) {
 				$env->page = $_POST["page"];
+				$env->page_safe = htmlentities($env->page);
+			}
 			
 			if(!$settings->editing)
 			{