[BUGFIX] Add missing htmlspecialchars in DocumentTemplate 91/36391/3
authorSascha Egerer <sascha.egerer@dkd.de>
Thu, 29 Jan 2015 22:44:20 +0000 (23:44 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Fri, 30 Jan 2015 13:02:02 +0000 (14:02 +0100)
commit4347ca0436cb9a2cb160c8c3428e8b384c9b645c
tree4e3db9aa0bc14d030631f7fdc5a4ce73fed9e718
parentd2b8fe86618bfa30352a79c8c158025b4456d71d
[BUGFIX] Add missing htmlspecialchars in DocumentTemplate

XSS is possible when using a special filename. The file has to be
created directly in the storage as uploading files with those names
is not possible.
Add a missing htmlspecialchars to prevent html injection.

Resolves: #64618
Releases: master, 6.2
Change-Id: I192e736fe629a37e923cc02a740fa2aadea20ee1
Reviewed-on: http://review.typo3.org/36391
Reviewed-by: Ingo Schmitt <is@marketing-factory.de>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Tested-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/backend/Classes/Template/DocumentTemplate.php
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php