* Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to...
[Packages/TYPO3.CMS.git] / typo3 / view_help.php
index 9b1d391..c1a27c9 100644 (file)
@@ -147,6 +147,10 @@ class SC_view_help {
 
                        // Setting GPvars:
                $this->tfID = t3lib_div::_GP('tfID');
+                       // Sanitizes the tfID using whitelisting.
+               if (!preg_match('/^[a-zA-Z0-9_\-\.]*$/', $this->tfID)) {
+                       $this->tfID = '';
+               }
                if (!$this->tfID) {
                        if (($this->ffID = t3lib_div::_GP('ffID'))) {
                                $this->ffID = unserialize(base64_decode($this->ffID));