[SECURITY] Prevent possible XSS in Fluid templates 89/51889/2
authorNicole Cordes <typo3@cordes.co>
Tue, 28 Feb 2017 10:22:25 +0000 (11:22 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 28 Feb 2017 10:22:32 +0000 (11:22 +0100)
This patch ensures proper encoding of the output of if-ViewHelpers when
using in inline notation.

The regular expression to find possibly affected usages is:
\{\s*f:if\s*\(.+,\s*(?:then|else):(?>\s*)[^']

Resolves: #79911
Releases: master, 7.6
Security-Commit: c187889fb52c6037abf9ffe033f65903c39f715a
Security-Bulletin: TYPO3-CORE-SA-2017-003
Change-Id: Ia509265b5ce9e0baecc62f33031789c08145df55
Reviewed-on: https://review.typo3.org/51889
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Private/Templates/Wizards/ImageManipulationWizard.html

index 8ecd499..391fe4a 100644 (file)
@@ -12,7 +12,7 @@
                                        <form class="form">
                                                <div class="form-group">
                                                        <label><f:translate key="LLL:EXT:lang/locallang_wizards.xlf:imwizard.image-title" />:</label>
-                                                       <p>{f:if(condition:image.properties.title, then:image.properties.title, else:image.name)}</p>
+                                                       <p>{f:if(condition:image.properties.title, then:image.properties.title, else:image.name) -> f:format.htmlspecialchars()}</p>
                                                </div>
                                                <div class="form-group">
                                                        <label><f:translate key="LLL:EXT:lang/locallang_wizards.xlf:imwizard.original-dimensions" />:</label>