[SECURITY] Escape record title in RecordsOverview 97/53897/2
authorGeorg Ringer <georg.ringer@gmail.com>
Tue, 5 Sep 2017 09:36:47 +0000 (11:36 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:36:50 +0000 (11:36 +0200)
The record title must be properly escaped.

Resolves: #81967
Releases: master, 8.7
Security-Commit: de3b93658fc0ab0542903d943455c33834456a60
Security-Bulletin: TYPO3-CORE-SA-2017-004
Change-Id: I89a8c14fc6ce043d7dab09f63c9d820519a19532
Reviewed-on: https://review.typo3.org/53897
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Form/FieldWizard/RecordsOverview.php

index 0e3ea4f..74bf421 100644 (file)
@@ -64,7 +64,7 @@ class RecordsOverview extends AbstractNode
                 $selectedItem['uid']
             );
             $linkedTitle = BackendUtility::wrapClickMenuOnIcon(
-                $shortenedTitle,
+                htmlspecialchars($shortenedTitle),
                 $selectedItem['table'],
                 $selectedItem['uid']
             );