CVE-2020-23263

An attacker with access to the Fork CMS backend can inject arbitrary JavaScript by supplying malicious input in the `navigation_title` or `title` parameters when adding or editing a page at `/private/en/pages/add`. Because the application fails to neutralize this input before rendering it in HTML output, the injected script executes in the context of any administrator who views the affected page tree or navigation. This is a classic stored cross-site scripting (XSS) attack [CWE-79].

The vulnerability exists in `src/Backend/Modules/Pages/Engine/Model.php` where `navigation_title` and `title` values are output without sanitization in multiple methods (`createHtml`, `getPagesForDropdown`, `getSubTreeForDropdown`, `getSubtree`, `getTreeHTML`). The patch also fixes unsafe output in `src/Frontend/Core/Layout/Templates/Navigation.html.twig`, `src/Backend/Modules/Pages/Layout/Templates/Edit.html.twig`, `src/Frontend/Core/Header/MetaData.php`, and `src/Frontend/Core/Header/MetaLink.php`.

The patch wraps all unsafe `navigation_title` and `title` outputs with `htmlspecialchars()` (or the Twig `escape` filter) so that HTML metacharacters like `<`, `>`, `"`, and `&` are encoded as entities. In `Model.php`, seven locations now pass values through `htmlspecialchars()` before concatenation into HTML strings. The Twig templates switch from `|raw` to `|e('html')` (or `|escape`), and the `MetaData.php`/`MetaLink.php` files encode attribute values. These changes prevent the browser from interpreting attacker-supplied input as executable script tags.