[SECURITY] Prevent possible XSS in Fluid templates 93/51893/2
authorNicole Cordes <typo3@cordes.co>
Tue, 28 Feb 2017 10:23:37 +0000 (11:23 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 28 Feb 2017 10:23:58 +0000 (11:23 +0100)
commitf47b0c18b3bac7d601ca332cae632b807c284d62
tree476ba48918a3c22e347a4f836983e28a0cc62845
parent0197adbe9ff8b8fd84d5cadfcd64a7df95048029
[SECURITY] Prevent possible XSS in Fluid templates

This patch ensures proper encoding of the output of if-ViewHelpers when
using in inline notation.

The regular expression to find possibly affected usages is:
\{\s*f:if\s*\(.+,\s*(?:then|else):(?>\s*)[^']

Resolves: #79911
Releases: master, 7.6
Security-Commit: 25113a810a8b9203f61ef694e0ef0a42dc349a72
Security-Bulletin: TYPO3-CORE-SA-2017-003
Change-Id: I09fea4c7d9dc845d1be23a34627dcc277da089f9
Reviewed-on: https://review.typo3.org/51893
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Private/Templates/ToolbarItems/ClearCacheToolbarItemDropDown.html
typo3/sysext/fluid_styled_content/Resources/Private/Templates/Uploads.html
typo3/sysext/install/Resources/Private/Partials/Action/Tool/ImportantActions/SystemInformation.html