Fixed bug #14978: XSS in file tree (thanks to Georg Ringer)

author Oliver Hader <oliver.hader@typo3.org>

Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)

committer Oliver Hader <oliver.hader@typo3.org>

Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)
author Oliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)
committer Oliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)
diff --git a/ChangeLog b/ChangeLog

index 37c106c..6e026cd 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
  
         * Raised Extbase and Fluid from 1.2.0 to 1.2.1
         * Fixed bug #14953: XSS in (new) taskcenter (thanks to Georg Ringer)
+       * Fixed bug #14978: XSS in file tree (thanks to Georg Ringer)
  
  2010-07-27  Steffen Kamper  <steffen@typo3.org>
  
diff --git a/typo3/class.browse_links.php b/typo3/class.browse_links.php

index b5cfcbf..f3b39ed 100644 (file)
--- a/typo3/class.browse_links.php
+++ b/typo3/class.browse_links.php
@@ -423,6 +423,8 @@ class TBE_PageTree extends localPageTree {
          * @return      string          Wrapping title string.
          */
         function wrapTitle($title,$v,$ext_pArrPages)    {
+               $title = htmlspecialchars($title);
+
                 if ($ext_pArrPages)     {
                         $ficon=t3lib_iconWorks::getIcon('pages',$v);
                         $onClick = "return insertElement('pages', '".$v['uid']."', 'db', ".t3lib_div::quoteJSvalue($v['title']).", '', '', '".$ficon."','',1);";
@@ -470,6 +472,8 @@ class localFolderTree extends t3lib_folderTree {
          * @return      string          Wrapping title string.
          */
         function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+
                 if ($this->ext_isLinkable($v))  {
                         $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                         return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
@@ -622,6 +626,8 @@ class TBE_FolderTree extends localFolderTree {
          * @return      string          Wrapping title string.
          */
         function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+
                 if ($this->ext_isLinkable($v))  {
                         $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                         return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
diff --git a/typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php b/typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php

index bedc5b1..043ccc8 100644 (file)
--- a/typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php
+++ b/typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php
@@ -119,6 +119,8 @@ class tx_rtehtmlarea_folderTree extends rteFolderTree {
          * @return      string          Wrapping title string.
          */
         function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+               
                 if ($this->ext_isLinkable($v))  {
                         $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&editorNo='.$GLOBALS['SOBE']->browser->editorNo.'&contentTypo3Language='.$GLOBALS['SOBE']->browser->contentTypo3Language.'&contentTypo3Charset='.$GLOBALS['SOBE']->browser->contentTypo3Charset.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                         return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
diff --git a/typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php b/typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php

index b2638e2..7585508 100644 (file)
--- a/typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php
+++ b/typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php
@@ -53,6 +53,8 @@ class tx_rtehtmlarea_image_folderTree extends t3lib_folderTree {
          * @return      string          Wrapping title string.
          */
         function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+               
                 if ($this->ext_isLinkable($v))  {
                         $aOnClick = 'return jumpToUrl(\'?editorNo='.$GLOBALS['SOBE']->browser->editorNo.'&expandFolder='.rawurlencode($v['path']).'\');';
                         return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
author	Oliver Hader <oliver.hader@typo3.org>
	Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)
committer	Oliver Hader <oliver.hader@typo3.org>
	Wed, 28 Jul 2010 08:51:51 +0000 (08:51 +0000)
ChangeLog		patch \| blob \| history
typo3/class.browse_links.php		patch \| blob \| history
typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php		patch \| blob \| history
typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php		patch \| blob \| history