[SECURITY] Missing escaping for sys_notes
authorGeorg Ringer <mail@ringerge.org>
Wed, 28 Mar 2012 11:54:38 +0000 (13:54 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:54:43 +0000 (13:54 +0200)
sys_notes misses an escaping in info module, not in page/list module

Change-Id: I8145299dfc35ec1a3a17d32852987c6fd01575c5
Fixes: #22748
Releases: 6.0, 4.7, 4.6, 4.5, 4.4
Security-Commit: a613e5419862827b791505852622e5e010265a97
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10011
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/layout/class.tx_cms_layout.php

index c050626..67c0ab0 100755 (executable)
@@ -1004,7 +1004,7 @@ class tx_cms_layout extends recordList {
 
                                                        $theData['__cmds__'] = $this->getIcon('sys_note', $row);
                                                        $theData['info'] = $head . $cont;
-                                                       $theData['note'] = nl2br($row['message']);
+                                                       $theData['note'] = nl2br(htmlspecialchars($row['message']));
 
                                                        $out .= $this->addelement(1, '', $theData, $tdparams, 20);