[SECURITY] Prevent XSS in scheduler form 50/29150/2
authorNicole Cordes <typo3@cordes.co>
Thu, 3 Apr 2014 14:15:49 +0000 (16:15 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 4 Apr 2014 13:09:14 +0000 (15:09 +0200)
The class name is submitted in a hidden form and is susceptible to XSS.
The patch introduced htmlspecialchars to prevent XSS possibility.

Resolves: #57603
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Change-Id: I4979e66f28a581e168c56d91327a1bbe2672448d
Reviewed-on: https://review.typo3.org/29150
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/scheduler/Classes/Controller/SchedulerModuleController.php

index d0a12bd..4392f6b 100644 (file)
@@ -657,8 +657,8 @@ class SchedulerModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClas
                        $style = ' style="display: none"';
                }
                // Start rendering the add/edit form
-               $content .= '<input type="hidden" name="tx_scheduler[uid]" value="' . $this->submittedData['uid'] . '" />';
-               $content .= '<input type="hidden" name="previousCMD" value="' . $this->CMD . '" />';
+               $content .= '<input type="hidden" name="tx_scheduler[uid]" value="' . htmlspecialchars($this->submittedData['uid']) . '" />';
+               $content .= '<input type="hidden" name="previousCMD" value="' . htmlspecialchars($this->CMD) . '" />';
                $table = array();
                $tr = 0;
                $defaultCell = array('<td class="td-input">', '</td>');
@@ -679,7 +679,7 @@ class SchedulerModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClas
                // On editing, don't allow changing of the task class, unless it was not valid
                if ($this->submittedData['uid'] > 0 && !empty($taskInfo['class'])) {
                        $cell = $registeredClasses[$taskInfo['class']]['title'] . ' (' . $registeredClasses[$taskInfo['class']]['extension'] . ')';
-                       $cell .= '<input type="hidden" name="tx_scheduler[class]" id="task_class" value="' . $taskInfo['class'] . '" />';
+                       $cell .= '<input type="hidden" name="tx_scheduler[class]" id="task_class" value="' . htmlspecialchars($taskInfo['class']) . '" />';
                } else {
                        $cell = '<select name="tx_scheduler[class]" id="task_class" class="wide" onchange="actOnChangedTaskClass(this)">';
                        // Group registered classes by classname