Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer...
[Packages/TYPO3.CMS.git] / typo3 / template.php
index 84a3d58..f191579 100644 (file)
@@ -598,7 +598,7 @@ class template {
                ));
 
                $out ="
-       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::_GP('returnUrl')))."';
+       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'))))."';
        var T3_THIS_LOCATION = '".str_replace('%20','',rawurlencode($thisLocation))."';
                ";
                return $out;
@@ -2191,7 +2191,7 @@ $str.=$this->docBodyTagBegin().
                        $title = t3lib_BEfunc::getRecordTitle('pages', $pageRecord);
                } else {        // On root-level of page tree
                                // Make Icon
-                       $iconImg = t3lib_iconWorks::getSpriteIcon('apps-pagetree-root', array('title' => $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']));
+                       $iconImg = t3lib_iconWorks::getSpriteIcon('apps-pagetree-root', array('title' => htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'])));
                        if($BE_USER->user['admin']) {
                                $theIcon = $GLOBALS['SOBE']->doc->wrapClickMenuOnIcon($iconImg, 'pages', 0);
                        } else {