[SECURITY] Prevent possible XSS in Fluid templates 89/51889/2
authorNicole Cordes <typo3@cordes.co>
Tue, 28 Feb 2017 10:22:25 +0000 (11:22 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 28 Feb 2017 10:22:32 +0000 (11:22 +0100)
commit1a4e18ba72055d79336e2df96430a98438eb9c89
treeb63dfc156eed5532993722f40c268dcad106e14e
parent414bfcac3621ff16d16646c32b981ba7bb479cff
[SECURITY] Prevent possible XSS in Fluid templates

This patch ensures proper encoding of the output of if-ViewHelpers when
using in inline notation.

The regular expression to find possibly affected usages is:
\{\s*f:if\s*\(.+,\s*(?:then|else):(?>\s*)[^']

Resolves: #79911
Releases: master, 7.6
Security-Commit: c187889fb52c6037abf9ffe033f65903c39f715a
Security-Bulletin: TYPO3-CORE-SA-2017-003
Change-Id: Ia509265b5ce9e0baecc62f33031789c08145df55
Reviewed-on: https://review.typo3.org/51889
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Private/Templates/Wizards/ImageManipulationWizard.html