[SECURITY] Remove possible XSS from ActionController Error output 07/26207/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:53:36 +0000 (10:53 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:53:40 +0000 (10:53 +0100)
commitcbbeefd9236deb70ac7d17edb747d0a8b970e2c5
treed3a1728aa69fdae223707a45688e3a9eadbb881e
parent163947aef180e184d543e9a0b1879f49e87dd884
[SECURITY] Remove possible XSS from ActionController Error output

As parameters passed to an ErrorObject can be user input, the
output of those parameters in the ActionController::errorAction() method
could lead to a cross side scripting possibility.

The offending output has been removed without substitution.

Change-Id: Iada1546a16fe6877edab42ca9a4a1a01574c29e0
Fixes: #54074
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: c3fa68afcdaa4322451d37b8b6a9a0a90f2df8d0
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26207
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/extbase/Classes/Mvc/Controller/ActionController.php