Indexed Search statistics module is vulnerable to
persistent XSS attack injected by arbitrary frontend users.
Change-Id: Ieb87cfff20a5e49522a2410d24a3b2ae141535a0
Fixes: #31927
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit:
9aa89980af0db90bfc535f4858fc61036c3d8170
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13766
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
if ($res) {
while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
$i++;
- $table1.='<tr class="bgColor4"><td>'.$i.'.</td><td>'.$row['word'].'</td><td> '.$row['c'].'</td></tr>';
+ $table1 .= '<tr class="bgColor4"><td>' . $i . '.</td><td>' . htmlspecialchars($row['word']) . '</td><td> ' . $row['c'] . '</td></tr>';
}
}