Link action button unescape presents XSS risk

[asmecher]

Describe the bug
The series of escaping, filtering and unescaping in/around

pkp-lib/templates/linkAction/linkActionButton.tpl

Line 30 in a618dbe

{$_labelTitle|strip_unsafe_html|unescape:'html'}

is confusing and presents an XSS risk.

This follows from #2564.

Callers should be able to pass content into this template (via instantiation of the LinkAction object and subclasses) in one of three ways:

• As plaintext: the field should not support HTML at all, and all entites should be escaped. Example: https://github.com/pkp/ojs/blob/ab3a1084c2079e025ebfabf258f20eccba10f688/controllers/grid/issues/IssueGridCellProvider.php#L65. This should be the "default" behaviour.
• With unlimited HTML: when the grid column is created with the anyhtml flag, all HTML is dumped in without escaping. (This should be used very cautiously!)
• (I was tempted to add "limited HTML", but I don't think we have a use case for that.)

There shouldn't be any need for an unescape call in linkActionButton.tpl -- it only confuses things. For example, applying a strip_unsafe_html before an unescape gives the impression that escaping is handled, but if the incoming label is already HTML, the filtering won't be applied (as expected)!

PRs

Stable-3.4.0

pkp-lib --> #9331
ojs --> pkp/ojs#4048 [TEST ONLY]

[asmecher]

Merged!