[SECURITY] Escape caption of media using css_styled_content 73/45273/2
authorGeorg Ringer <georg.ringer@gmail.com>
Tue, 15 Dec 2015 10:35:47 +0000 (11:35 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:35:52 +0000 (11:35 +0100)
The caption must be escaped. As this is only a textarea, the parsefunc
is not needed.

Furthermore, the fields "altText" and "titleText" use htmlspecialchars instead of stripHtml.

Resolves: #41690
Releases: master, 6.2
Security-Commit: 8b11cfd8fba0c68effad41f4fdc07f4b593a62cc
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ia32b37e93cbe3d5f171a7986fb17539d84e99325
Reviewed-on: https://review.typo3.org/45273
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/css_styled_content/static/setup.txt
typo3/sysext/css_styled_content/static/v4.5/setup.txt
typo3/sysext/css_styled_content/static/v4.6/setup.txt
typo3/sysext/css_styled_content/static/v4.7/setup.txt
typo3/sysext/css_styled_content/static/v6.0/setup.txt
typo3/sysext/css_styled_content/static/v6.1/setup.txt

index a4e5f17..509032a 100644 (file)
@@ -747,7 +747,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        data = file:current:alternative
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                }
 
                titleText < .altText
@@ -793,7 +793,7 @@ tt_content.image.20 {
                        1 {
                                data = file:current:description
                                required = 1
-                               parseFunc =< lib.parseFunc
+                               htmlSpecialChars = 1
                                br = 1
                        }
                }
index 84f3864..35e83ee 100644 (file)
@@ -513,7 +513,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        field = altText
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                        split.token.char = 10
                        split.token.if.isTrue = {$styles.content.imgtext.imageTextSplit}
                        split.returnKey.data = register : IMAGE_NUM_CURRENT
@@ -551,7 +551,7 @@ tt_content.image.20 {
                1 {
                        field = imagecaption
                        required = 1
-                       parseFunc =< lib.parseFunc
+                       htmlSpecialChars = 1
                        br = 1
                        split.token.char = 10
                        split.token.if.isPositive = {$styles.content.imgtext.imageTextSplit} + {$styles.content.imgtext.captionSplit}
index c8adb4a..d10aa45 100644 (file)
@@ -517,7 +517,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        field = altText
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                        split.token.char = 10
                        split.token.if.isTrue = {$styles.content.imgtext.imageTextSplit}
                        split.returnKey.data = register : IMAGE_NUM_CURRENT
@@ -555,7 +555,7 @@ tt_content.image.20 {
                1 {
                        field = imagecaption
                        required = 1
-                       parseFunc =< lib.parseFunc
+                       htmlSpecialChars = 1
                        br = 1
                        split.token.char = 10
                        split.token.if.isPositive = {$styles.content.imgtext.imageTextSplit} + {$styles.content.imgtext.captionSplit}
index aea26c9..3f68e2e 100644 (file)
@@ -707,7 +707,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        field = altText
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                        split.token.char = 10
                        split.token.if.isTrue = {$styles.content.imgtext.imageTextSplit}
                        split.returnKey.data = register : IMAGE_NUM_CURRENT
@@ -800,7 +800,7 @@ tt_content.image.20 {
                        1 {
                                field = imagecaption
                                required = 1
-                               parseFunc =< lib.parseFunc
+                               htmlSpecialChars = 1
                                br = 1
                                trim = 1
                                split.token.char = 10
index 25e15a4..2377ded 100644 (file)
@@ -708,7 +708,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        field = altText
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                        split.token.char = 10
                        split.token.if.isTrue = {$styles.content.imgtext.imageTextSplit}
                        split.returnKey.data = register : IMAGE_NUM_CURRENT
@@ -801,7 +801,7 @@ tt_content.image.20 {
                        1 {
                                field = imagecaption
                                required = 1
-                               parseFunc =< lib.parseFunc
+                               htmlSpecialChars = 1
                                br = 1
                                split.token.char = 10
                                split.token.if.isPositive = {$styles.content.imgtext.imageTextSplit} + {$styles.content.imgtext.captionSplit}
index a833b66..c5821a7 100644 (file)
@@ -708,7 +708,7 @@ tt_content.image.20 {
                altText = TEXT
                altText {
                        field = altText
-                       stripHtml = 1
+                       htmlSpecialChars = 1
                        split.token.char = 10
                        split.token.if.isTrue = {$styles.content.imgtext.imageTextSplit}
                        split.returnKey.data = register : IMAGE_NUM_CURRENT
@@ -801,7 +801,7 @@ tt_content.image.20 {
                        1 {
                                field = imagecaption
                                required = 1
-                               parseFunc =< lib.parseFunc
+                               htmlSpecialChars = 1
                                br = 1
                                split.token.char = 10
                                split.token.if.isPositive = {$styles.content.imgtext.imageTextSplit} + {$styles.content.imgtext.captionSplit}