fix (lightbox): sanitize lightbox title (#3390)

Co-authored-by: [email protected] <>

Author: bfintal

src/lightbox/frontend-image-lightbox.js

@@ -93,6 +93,19 @@ const isImageBlock = el => {
 	return el && el.classList.contains( 'stk-block-image' )
 }
 
+function sanitize( string ) {
+	const map = {
+		'&': '&',
+		'<': '&lt;',
+		'>': '&gt;',
+		'"': '&quot;',
+		"'": '&#x27;',
+		'/': '&#x2F;',
+	}
+	const reg = /[&<>"'/]/ig
+	return string.replace( reg, match => map[ match ] )
+}
+
 class StackableImageLightbox {
 	init = () => {
 		this.elements = []
@@ -135,6 +148,10 @@ class StackableImageLightbox {
 				title = imageBlock.getAttribute( 'alt' ) || null
 			}
 
+			// Sanitize strings.
+			title = title ? sanitize( title ) : null
+			link = typeof link === 'string' ? sanitize( link ) : link
+
 			const isUsingImageBlock = ( ! link || ! href ) && imageBlock
 
 			this.elements.push( {