[BUGFIX] Write config to extTables destroys HTML output 10/19710/2
authorPhilipp Gampe <philipp.gampe@typo3.org>
Sat, 6 Apr 2013 18:47:43 +0000 (20:47 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sat, 6 Apr 2013 21:19:14 +0000 (23:19 +0200)
If you enter HTML to update a field in e.g. TCA to write the value into
extTables.php, then the HTML will be printed into the configuration
module.
htmlspecialchar the output.

Fixes: #46999
Releases: 6.1,6.0,4.7,4.5
Change-Id: I390b4252316b8bdf01e5bbcc5a8b33833bdf73e8
Reviewed-on: https://review.typo3.org/19710
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/lowlevel/config/index.php

index f91fdb4..cf919a3 100755 (executable)
@@ -299,7 +299,12 @@ class SC_mod_tools_config_index {
                                        $flashMessage = t3lib_div::makeInstance(
                                                't3lib_FlashMessage',
                                                '',
-                                               sprintf($GLOBALS['LANG']->getLL('writeMessage', TRUE), TYPO3_extTableDef_script,  '<br />', '<strong>' . nl2br($changedLine) . '</strong>'),
+                                               sprintf(
+                                                       $GLOBALS['LANG']->getLL('writeMessage', TRUE),
+                                                       TYPO3_extTableDef_script,
+                                                       '<br />',
+                                                       '<strong>' . nl2br(htmlspecialchars($changedLine)) . '</strong>'
+                                               ),
                                                t3lib_FlashMessage::OK
                                        );
                                } else {