[SECURITY] XSS in be_layouts
authorGeorg Ringer <mail@ringerge.org>
Wed, 28 Mar 2012 11:56:21 +0000 (13:56 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:56:25 +0000 (13:56 +0200)
Some values from the backend layout configuration
are not properly escaped

Change-Id: Id08f8f21d5c429e05e5de938e46eb2532855f5a6
Fixes: #29536
Releases: 6.0, 4.7, 4.6, 4.5, 4.4
Security-Commit: d34ae5f174a0fc5242323909771a6fbf21ef785b
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10032
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/layout/class.tx_cms_layout.php

index 35f4e74..1b370a1 100755 (executable)
@@ -526,14 +526,17 @@ class tx_cms_layout extends recordList {
                                                        $columnKey = intval($columnConfig['colPos']);
 
                                                        // render the grid cell
+                                                       $colSpan = intval($columnConfig['colspan']);
+                                                       $rowSpan = intval($columnConfig['rowspan']);
+
                                                        $grid .= '<td valign="top"' .
-                                                                       (isset($columnConfig['colspan']) ? ' colspan="' . $columnConfig['colspan'] . '"' : '') .
-                                                                       (isset($columnConfig['rowspan']) ? ' rowspan="' . $columnConfig['rowspan'] . '"' : '') .
+                                                                       ($colSpan > 0 ? ' colspan="' . $colSpan . '"' : '') .
+                                                                       ($rowSpan > 0 ? ' rowspan="' . $rowSpan . '"' : '') .
                                                                        ' class="t3-gridCell t3-page-column t3-page-column-' . $columnKey .
                                                                        (!isset($columnConfig['colPos']) ? ' t3-gridCell-unassigned' : '') .
                                                                        ((isset($columnConfig['colPos']) && ! $head[$columnKey]) ? ' t3-gridCell-restricted' : '') .
-                                                                       (isset($columnConfig['colspan']) ? ' t3-gridCell-width' . $columnConfig['colspan'] : '') .
-                                                                       (isset($columnConfig['rowspan']) ? ' t3-gridCell-height' . $columnConfig['rowspan'] : '') . '">';
+                                                                       ($colSpan > 0 ? ' t3-gridCell-width' . $colSpan : '') .
+                                                                       ($rowSpan > 0 ? ' t3-gridCell-height' . $rowSpan : '') . '">';
 
                                                        // Draw the pre-generated header with edit and new buttons if a colPos is assigned.
                                                        // If not, a new header without any buttons will be generated.