Fix remaining code review issues

- Use addActionWarning() in dialog open callback to remove duplication
- Fix HTML entity display in breadcrumb and share link
  Literal ampersands (foo&bar) were displayed as foo&bar
- Add global escapeHtml() utility function for consistent HTML escaping

Author: mgutt

emhttp/plugins/dynamix/Browse.page

@@ -59,6 +59,13 @@ function autoscale(value) {
   return ((Math.round(scale*data)/scale)+' '+unit[base]).replace('.','<?=$display['number'][0]?>')+'/s';
 }
 
+// HTML-escape function to preserve literal &amp; and other entities
+function escapeHtml(text) {
+  var div = document.createElement('div');
+  div.textContent = text;
+  return div.innerHTML;
+}
+
 // Add warning to dialog buttonpane based on action type
 function addActionWarning(action, isBulk) {
   var warningTexts = isBulk ? {
@@ -1063,21 +1070,7 @@ function doActions(action, title) {
       $('.ui-dfm').off('mousedown.dfmFileTree');
     },
     open: function() {
-      // Add warning to buttonpane for all relevant actions (bulk operations)
-      var warningTexts = {
-        0: "<?=_("This creates a folder at the current level")?>",
-        1: "<?=_("This deletes all selected sources")?>",
-        2: "<?=_("This renames the selected source")?>",
-        3: "<?=_("This copies all the selected sources")?>",
-        4: "<?=_("This moves all the selected sources")?>",
-        11: "<?=_("This changes the owner of the source recursively")?>",
-        12: "<?=_("This changes the permission of the source recursively")?>"
-      };
-      var warningText = warningTexts[action];
-      if (warningText) {
-        var $warning = $('<div class="dfm-warning">').html('<i class="fa fa-warning dfm"></i> ' + warningText);
-        $('.ui-dfm .ui-dialog-buttonset').prepend($warning);
-      }
+      addActionWarning(action, true);
     },
     buttons: {
       "_(Start)_": function(){
@@ -1356,10 +1349,11 @@ function loadList() {
 
 function xlink(link) {
   var path = decodeURIComponent(link).trim();
+  var escapedPath = escapeHtml(path);
 
   // Always show dialog with selectable textarea (better mobile support)
   var inputId = 'dfm_path_input_' + Date.now();
-  var inputHtml = '<textarea id="' + inputId + '" class="dfm-path-textarea text-center font-mono" readonly>' + path + '</textarea>';
+  var inputHtml = '<textarea id="' + inputId + '" class="dfm-path-textarea text-center font-mono" readonly>' + escapedPath + '</textarea>';
 
   swal({
     title: '',
@@ -1418,7 +1412,8 @@ $(function(){
   if (dirs.length > 1) {
     for (var n=1; n < dirs.length; n++) {
       var subdir = dirs.slice(1,n+1);
-      url.push('<a class="none" href="/<?=$path?>?dir=/'+encodeURIComponent(subdir.join('/'))+'" oncontextmenu="xlink(\'/' + encodeURIComponent(subdir.join('/')) + '\');return false">'+(n == 1 ? '<i class="fa fa-home"></i>' : dirs[n])+'</a>');
+      var displayText = n == 1 ? '<i class="fa fa-home"></i>' : escapeHtml(dirs[n]);
+      url.push('<a class="none" href="/<?=$path?>?dir=/'+encodeURIComponent(subdir.join('/'))+'" oncontextmenu="xlink(\'/' + encodeURIComponent(subdir.join('/')) + '\');return false">'+displayText+'</a>');
     }
   } else {
     url.push('<i class="fa fa-home red-text"></i>');