[+BUGFIX] Fluid (ViewHelpers): Fixed a possible security issue where the content...
authorSebastian Kurfürst <sebastian@typo3.org>
Mon, 26 Jul 2010 13:31:14 +0000 (13:31 +0000)
committerSebastian Kurfürst <sebastian@typo3.org>
Mon, 26 Jul 2010 13:31:14 +0000 (13:31 +0000)
typo3/sysext/fluid/Classes/ViewHelpers/Form/TextareaViewHelper.php
typo3/sysext/fluid/Tests/Unit/ViewHelpers/Form/TextareaViewHelperTest.php

index 609784b..0d992dd 100644 (file)
@@ -74,7 +74,7 @@ class Tx_Fluid_ViewHelpers_Form_TextareaViewHelper extends Tx_Fluid_ViewHelpers_
 
                $this->tag->forceClosingTag(TRUE);
                $this->tag->addAttribute('name', $name);
-               $this->tag->setContent($this->getValue());
+               $this->tag->setContent(htmlspecialchars($this->getValue()));
 
                $this->setErrorClassAttribute();
 
index 6e6e711..a5c34fa 100644 (file)
@@ -88,6 +88,29 @@ class Tx_Fluid_ViewHelpers_Form_TextareaViewHelperTest extends Tx_Fluid_ViewHelp
                $this->viewHelper->expects($this->once())->method('setErrorClassAttribute');
                $this->viewHelper->render();
        }
+
+       /**
+        * @test
+        * @author Bastian Waidelich <bastian@typo3.org>
+        */
+       public function renderEscapesTextareaContent() {
+               $mockTagBuilder = $this->getMock('Tx_Fluid_Core_ViewHelper_TagBuilder', array('addAttribute', 'setContent', 'render'), array(), '', FALSE);
+               $mockTagBuilder->expects($this->once())->method('addAttribute')->with('name', 'NameOfTextarea');
+               $this->viewHelper->expects($this->once())->method('registerFieldNameForFormTokenGeneration')->with('NameOfTextarea');
+               $mockTagBuilder->expects($this->once())->method('setContent')->with('some &lt;tag&gt; &amp; &quot;quotes&quot;');
+               $mockTagBuilder->expects($this->once())->method('render');
+               $this->viewHelper->injectTagBuilder($mockTagBuilder);
+
+               $arguments = new Tx_Fluid_Core_ViewHelper_Arguments(array(
+                       'name' => 'NameOfTextarea',
+                       'value' => 'some <tag> & "quotes"'
+               ));
+               $this->viewHelper->setArguments($arguments);
+
+               $this->viewHelper->setViewHelperNode(new Tx_Fluid_ViewHelpers_Fixtures_EmptySyntaxTreeNode());
+               $this->viewHelper->initialize();
+               $this->viewHelper->render();
+       }
 }
 
 ?>