[BUGFIX] XSS in tcemain flash message
authorGeorg Ringer <mail@ringerge.org>
Wed, 27 Jul 2011 10:29:47 +0000 (12:29 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:31:06 +0000 (12:31 +0200)
Change-Id: I41c91d929b8c018e4fdb7b452cd1fabf583c697a
Resolves: #24535
Reviewed-on: http://review.typo3.org/3761
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tcemain.php

index cf48040..57c67eb 100644 (file)
@@ -7001,7 +7001,7 @@ class t3lib_TCEmain {
                        $log_data = unserialize($row['log_data']);
                        $msg = $row['error'] . ': ' . sprintf($row['details'], $log_data[0], $log_data[1], $log_data[2], $log_data[3], $log_data[4]);
                        $flashMessage = t3lib_div::makeInstance('t3lib_FlashMessage',
-                                                                                                       $msg,
+                                                                                                       htmlspecialchars($msg),
                                                                                                        '',
                                                                                                        t3lib_FlashMessage::ERROR,
                                                                                                        TRUE