[SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck
authorHelmut Hummel <helmut.hummel@typo3.org>
Thu, 8 Nov 2012 11:43:50 +0000 (12:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 8 Nov 2012 11:43:53 +0000 (12:43 +0100)
commita768d97c4c93197563bbc148ff0ed1baacc0d0d3
tree341c9258f6ac50411b7cfb26376a1149947d276e
parentba187e55ea438deb3110bb56709d8602c0dea483
[SECURITY] Fix potential XSS in t3lib_BEfunc::getFuncCheck

The method getFuncCheck creates an URL from input variables and puts
it in JavaScript context without properly encoding them.

This might lead to XSS if the input variables come from untrusted source.

Fixes: #42776
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: Ife04524ed577cb7b2cd88bae27d87439adf4ef60
Security-Commit: 3615725a62b56bdfe88a5a8e952b3aa582f16d4c
Security-Bulletin: TYPO3-CORE-SA-2012-005
Reviewed-on: http://review.typo3.org/16296
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_befunc.php