[SECURITY] Fix potential XSS in BackendUtlility::getFuncCheck
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 8 Nov 2012 11:44:45 +0000 (12:44 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 8 Nov 2012 11:44:48 +0000 (12:44 +0100)
commit2bbc7a32f1866498c9991bff5ae8242111ad1f32
tree71c2e18f9a3e6ef4c355e5172c9abc75860f6b7b
parent306c8c0ee577875b70a96889183fe6b1f318e244
[SECURITY] Fix potential XSS in BackendUtlility::getFuncCheck

The method getFuncCheck creates an URL from input variables and puts
it in JavaScript context without properly encoding them.

This might lead to XSS if the input variables come from untrusted source.

Fixes: #42776
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: Ia312e96791bc23460462c2374c0d08f47f762447
Security-Bulletin: TYPO3-CORE-SA-2012-005
Reviewed-on: http://review.typo3.org/16305
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Utility/BackendUtility.php