[SECURITY] Remove possible XSS from ActionController Error output 76/26176/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:50:43 +0000 (10:50 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:50:46 +0000 (10:50 +0100)
commitb360a1a899d889e223b16a8447a0abb06b0d04ea
treee9a05a62442f56509905710584c00f7dc786576c
parent78ee538ce66b7bb358d2a9a9bd733166b24b6ab0
[SECURITY] Remove possible XSS from ActionController Error output

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.
The offending output has been removed without substitution.

Change-Id: Ide28a2af395a0a9558153ff6465dc8ae946a8b29
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: f52d894b8adc385535ae0d3bc28700cd449e9f21
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26176
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/extbase/Classes/MVC/Controller/ActionController.php