[SECURITY] XSS in Indexed Search statistics

Indexed Search statistics module is vulnerable to
persistent XSS attack injected by arbitrary frontend users.

Change-Id: Ieb87cfff20a5e49522a2410d24a3b2ae141535a0
Fixes: #31927
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: 9aa89980af0db90bfc535f4858fc61036c3d8170
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13766
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

diff --git a/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php b/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
index 41470f1..3254b2d 100644 (file)
--- a/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
+++ b/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
@@ -152,7 +152,7 @@ class tx_indexedsearch_modfunc2 extends t3lib_extobjbase {
                if ($res) {
                        while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
                                $i++;
-                               $table1.='<tr class="bgColor4"><td>'.$i.'.</td><td>'.$row['word'].'</td><td>&nbsp;&nbsp;'.$row['c'].'</td></tr>';
+                               $table1 .= '<tr class="bgColor4"><td>' . $i . '.</td><td>' . htmlspecialchars($row['word']) . '</td><td>&nbsp;&nbsp;' . $row['c'] . '</td></tr>';
                        }
                }