[BUGFIX] Label in list view is not escaped 09/20509/3
authorNicole Cordes <typo3@cordes.co>
Fri, 5 Apr 2013 20:15:24 +0000 (22:15 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Sat, 11 May 2013 15:48:11 +0000 (17:48 +0200)
The label of a field in the list view is not escaped,
as the itemLabel function is broken, through the
third parameter which cannot be HSCed afterwards
if it contains HTML.

Change-Id: I5adcf0ce97dd9f5e8fd9546b367f55f1ac0c532e
Fixes: #29409
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/20509
Reviewed-by: Nicole Cordes
Tested-by: Nicole Cordes
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php

index 0bc3167..ef20885 100644 (file)
@@ -1810,7 +1810,7 @@ class BackendUtility {
         * @param string $table Table name, present in $GLOBALS['TCA']
         * @param string $col Field name
         * @param string $printAllWrap Wrap value - set function description
-        * @return string
+        * @return string or NULL if $col is not found in the TCA table
         */
        static public function getItemLabel($table, $col, $printAllWrap = '') {
                // Load full TCA for $table
@@ -1819,10 +1819,8 @@ class BackendUtility {
                if (is_array($GLOBALS['TCA'][$table]) && is_array($GLOBALS['TCA'][$table]['columns'][$col])) {
                        return $GLOBALS['TCA'][$table]['columns'][$col]['label'];
                }
-               if ($printAllWrap) {
-                       $parts = explode('|', $printAllWrap);
-                       return $parts[0] . $col . $parts[1];
-               }
+
+               return NULL;
        }
 
        /**
index 144e023..839636d 100644 (file)
@@ -833,6 +833,18 @@ class DatabaseRecordList extends \TYPO3\CMS\Recordlist\RecordList\AbstractDataba
                        default:
                                // Regular fields header:
                                $theData[$fCol] = '';
+
+                               // Check if $fCol is really a field and get the label and remove the colons at the end
+                               $sortLabel = \TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol);
+                               if ($sortLabel !== NULL) {
+                                       $sortLabel = $GLOBALS['LANG']->sL($sortLabel, TRUE);
+                                       $sortLabel = rtrim(trim($sortLabel), ':');
+                               } else {
+                                       // No TCA field, only output the $fCol variable with square brackets []
+                                       $sortLabel = htmlspecialchars($fCol);
+                                       $sortLabel = '<i>[' . rtrim(trim($sortLabel), ':') . ']</i>';
+                               }
+
                                if ($this->table && is_array($currentIdList)) {
                                        // If the numeric clipboard pads are selected, show duplicate sorting link:
                                        if ($this->clipNumPane()) {
@@ -845,11 +857,11 @@ class DatabaseRecordList extends \TYPO3\CMS\Recordlist\RecordList\AbstractDataba
                                                        $editIdList = '\'+editList(\'' . $table . '\',\'' . $editIdList . '\')+\'';
                                                }
                                                $params = '&edit[' . $table . '][' . $editIdList . ']=edit&columnsOnly=' . $fCol . '&disHelp=1';
-                                               $iTitle = sprintf($GLOBALS['LANG']->getLL('editThisColumn'), rtrim(trim($GLOBALS['LANG']->sL(\TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol))), ':'));
+                                               $iTitle = sprintf($GLOBALS['LANG']->getLL('editThisColumn'), $sortLabel);
                                                $theData[$fCol] .= '<a href="#" onclick="' . htmlspecialchars(\TYPO3\CMS\Backend\Utility\BackendUtility::editOnClick($params, $this->backPath, -1)) . '" title="' . htmlspecialchars($iTitle) . '">' . \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('actions-document-open') . '</a>';
                                        }
                                }
-                               $theData[$fCol] .= $this->addSortLink($GLOBALS['LANG']->sL(\TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol, '<i>[|]</i>')), $fCol, $table);
+                               $theData[$fCol] .= $this->addSortLink($sortLabel, $fCol, $table);
                                break;
                        }
                }