[SECURITY] XSS in content element "Form" 94/46694/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Tue, 16 Feb 2016 10:43:32 +0000 (11:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 16 Feb 2016 10:43:54 +0000 (11:43 +0100)
Encode field names and options of select and radio elements.

Resolves: #25244
Releases: 6.2
Security-Commit: 7121a0c39e8801e860e29b77c6e33319bc27fd75
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: I2c2a1a71499ee4757b420df64a3604576d945da4
Reviewed-on: https://review.typo3.org/46694
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/FormContentObject.php

index 84265a5..dc22dea 100644 (file)
@@ -293,7 +293,10 @@ class FormContentObject extends \TYPO3\CMS\Frontend\ContentObject\AbstractConten
                                                // Create the select-box:
                                                $iCount = count($items);
                                                for ($a = 0; $a < $iCount; $a++) {
-                                                       $option .= '<option value="' . $items[$a][1] . '"' . (in_array($items[$a][1], $defaults) ? ' selected="selected"' : '') . '>' . trim($items[$a][0]) . '</option>';
+                                                       $option .= '<option value="' . htmlspecialchars($items[$a][1]) . '"' .
+                                                               (in_array($items[$a][1], $defaults) ? ' selected="selected"' : '') . '>' .
+                                                               htmlspecialchars(trim($items[$a][0])) .
+                                                               '</option>';
                                                }
                                                if ($multiple) {
                                                        // The fieldname must be prepended '[]' if multiple select. And the reason why it's prepended is, because the required-field list later must also have [] prepended.
@@ -336,16 +339,16 @@ class FormContentObject extends \TYPO3\CMS\Frontend\ContentObject\AbstractConten
                                                        $optionParts = '';
                                                        $radioId = $prefix . $fName . $this->cObj->cleanFormName($items[$a][0]);
                                                        if ($accessibility) {
-                                                               $radioLabelIdAttribute = ' id="' . $radioId . '"';
+                                                               $radioLabelIdAttribute = ' id="' . htmlspecialchars($radioId) . '"';
                                                        } else {
                                                                $radioLabelIdAttribute = '';
                                                        }
-                                                       $optionParts .= '<input type="radio" name="' . $confData['fieldname'] . '"' . $radioLabelIdAttribute . ' value="' . $items[$a][1] . '"' . ((string)$items[$a][1] === (string)$default ? ' checked="checked"' : '') . $addParams . ' />';
+                                                       $optionParts .= '<input type="radio" name="' . $confData['fieldname'] . '"' . $radioLabelIdAttribute . ' value="' . htmlspecialchars($items[$a][1]) . '"' . ((string)$items[$a][1] === (string)$default ? ' checked="checked"' : '') . $addParams . ' />';
                                                        if ($accessibility) {
                                                                $label = isset($conf['radioWrap.']) ? $this->cObj->stdWrap(trim($items[$a][0]), $conf['radioWrap.']) : trim($items[$a][0]);
                                                                $optionParts .= '<label for="' . $radioId . '">' . $label . '</label>';
                                                        } else {
-                                                               $optionParts .= isset($conf['radioWrap.']) ? $this->cObj->stdWrap(trim($items[$a][0]), $conf['radioWrap.']) : trim($items[$a][0]);
+                                                               $optionParts .= isset($conf['radioWrap.']) ? $this->cObj->stdWrap(trim($items[$a][0]), $conf['radioWrap.']) : htmlspecialchars(trim($items[$a][0]));
                                                        }
                                                        $option .= isset($conf['radioInputWrap.']) ? $this->cObj->stdWrap($optionParts, $conf['radioInputWrap.']) : $optionParts;
                                                }
@@ -626,4 +629,4 @@ class FormContentObject extends \TYPO3\CMS\Frontend\ContentObject\AbstractConten
                }
        }
 
-}
+}
\ No newline at end of file