[BUGFIX] Add missing htmlspecialchars in DocumentTemplate 91/36391/3
authorSascha Egerer <sascha.egerer@dkd.de>
Thu, 29 Jan 2015 22:44:20 +0000 (23:44 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Fri, 30 Jan 2015 13:02:02 +0000 (14:02 +0100)
XSS is possible when using a special filename. The file has to be
created directly in the storage as uploading files with those names
is not possible.
Add a missing htmlspecialchars to prevent html injection.

Resolves: #64618
Releases: master, 6.2
Change-Id: I192e736fe629a37e923cc02a740fa2aadea20ee1
Reviewed-on: http://review.typo3.org/36391
Reviewed-by: Ingo Schmitt <is@marketing-factory.de>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Tested-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/backend/Classes/Template/DocumentTemplate.php
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php

index 6b5f0da..809796e 100644 (file)
@@ -512,7 +512,7 @@ function jumpToUrl(URL) {
                if ($returnTagParameters) {
                        return $tagParameters;
                } else {
-                       return '<a href="#" ' . GeneralUtility::implodeAttributes($tagParameters) . '>' . $content . '</a>';
+                       return '<a href="#" ' . GeneralUtility::implodeAttributes($tagParameters, TRUE) . '>' . $content . '</a>';
                }
        }
 
index 3264b74..6de0d17 100644 (file)
@@ -369,7 +369,14 @@ class ExtendedFileUtility extends BasicFileUtility {
 
                                                if ($shortcutRecord) {
                                                        $icon = IconUtility::getSpriteIconForRecord($row['tablename'], $shortcutRecord);
-                                                       $icon = '<a href="#" class="t3-js-clickmenutrigger" data-table="' . $row['tablename'] . '" data-uid="' . $row['recuid'] . '" data-listframe="1" data-iteminfo="%2Binfo,history,edit">' . $icon . '</a>';
+                                                       $tagParameters = array(
+                                                               'class'           => 't3-js-clickmenutrigger',
+                                                               'data-table'      => $row['tablename'],
+                                                               'data-uid'        => $row['recuid'],
+                                                               'data-listframe'  => 1,
+                                                               'data-iteminfo'   => '%2Binfo,history,edit'
+                                                       );
+                                                       $icon = '<a href="#" ' . GeneralUtility::implodeAttributes($tagParameters, TRUE) . '>' . $icon . '</a>';
                                                        $shortcutContent[] = $icon . htmlspecialchars((BackendUtility::getRecordTitle($row['tablename'], $shortcutRecord) . '  [' . BackendUtility::getRecordPath($shortcutRecord['pid'], '', 80) . ']'));
                                                } else {
                                                        $brokenReferences[] = $fileReferenceRow['ref_uid'];