[SECURITY] Use a fluid template for the ConfirmationFinisher message 39/59539/2
authorRalf Zimmermann <ralf.zimmermann@tritum.de>
Tue, 22 Jan 2019 08:43:24 +0000 (09:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:43:27 +0000 (09:43 +0100)
commit7b413d09143a5a678cb386cc943f862565dd54d8
treedb0cb5e162b9ddca2f54f792f94be96710f08b5c
parentd80a3ad28ec29ccf27ab2533ce4af4f7ed6349dd
[SECURITY] Use a fluid template for the ConfirmationFinisher message

The ConfirmationFinisher message is now rendered within a fluid template
to allow styling of the message.
Furthermore, the FormRuntime (and thus all form element values) and the
finisherVariableProvider are available in the template.
Custom variables can be added globally within the form setup or at
form level in the form definition.
By using a fluid template and the associated html escaping, the display
of the ConfirmationFinisher message is protected against XSS / html
injection attacks.

Resolves: #84902
Releases: master, 9.5, 8.7
Security-Commit: a38c63f3f03b1ab267666ca06a3abaead57b8265
Security-Bulletin: TYPO3-CORE-SA-2019-007
Change-Id: Ib6cfef88bef09f72b675909f7022120b32c095df
Reviewed-on: https://review.typo3.org/59539
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Documentation/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.rst [new file with mode: 0644]
typo3/sysext/form/Classes/Domain/Finishers/ConfirmationFinisher.php
typo3/sysext/form/Configuration/Yaml/BaseSetup.yaml
typo3/sysext/form/Documentation/Config/configuration/Index.rst
typo3/sysext/form/Documentation/Config/proto/finishersDefinition/finishers/Confirmation.rst
typo3/sysext/form/Resources/Private/Frontend/Templates/Finishers/Confirmation/Confirmation.html [new file with mode: 0644]