[SECURITY] XSS in belog module 22/45522/2
authorOliver Hader <oliver@typo3.org>
Wed, 30 Dec 2015 12:24:30 +0000 (13:24 +0100)
committerMorton Jonuschat <m.jonuschat@mojocode.de>
Wed, 30 Dec 2015 17:10:33 +0000 (18:10 +0100)
The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
Reviewed-on: https://review.typo3.org/45519
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit 056323e9141c9028d07c1e12543584e03b5f0c9e)
Reviewed-on: https://review.typo3.org/45522

typo3/sysext/belog/Classes/ViewHelpers/UsernameViewHelper.php
typo3/sysext/belog/Classes/ViewHelpers/WorkspaceTitleViewHelper.php

index 1c7c3e0..0275173 100644 (file)
@@ -60,7 +60,7 @@ class UsernameViewHelper extends AbstractViewHelper implements CompilableInterfa
         $uid = $arguments['uid'];
 
         if (isset(static::$usernameRuntimeCache[$uid])) {
-            return static::$usernameRuntimeCache[$uid];
+            return htmlspecialchars(static::$usernameRuntimeCache[$uid]);
         }
 
         $objectManager = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\Object\ObjectManager::class);
@@ -69,6 +69,6 @@ class UsernameViewHelper extends AbstractViewHelper implements CompilableInterfa
         $user = $backendUserRepository->findByUid($uid);
         // $user may be NULL if user was deleted from DB, set it to empty string to always return a string
         static::$usernameRuntimeCache[$uid] = ($user === null) ? '' : $user->getUserName();
-        return static::$usernameRuntimeCache[$uid];
+        return htmlspecialchars(static::$usernameRuntimeCache[$uid]);
     }
 }
index 9df2eb3..e67af94 100644 (file)
@@ -60,7 +60,7 @@ class WorkspaceTitleViewHelper extends AbstractViewHelper implements CompilableI
         $uid = $arguments['uid'];
 
         if (isset(static::$workspaceTitleRuntimeCache[$uid])) {
-            return static::$workspaceTitleRuntimeCache[$uid];
+            return htmlspecialchars(static::$workspaceTitleRuntimeCache[$uid]);
         }
 
         if ($uid === 0) {
@@ -76,6 +76,6 @@ class WorkspaceTitleViewHelper extends AbstractViewHelper implements CompilableI
             static::$workspaceTitleRuntimeCache[$uid] = ($workspace === null) ? '' : $workspace->getTitle();
         }
 
-        return static::$workspaceTitleRuntimeCache[$uid];
+        return htmlspecialchars(static::$workspaceTitleRuntimeCache[$uid]);
     }
 }