[BUGFIX] Write config to extTables destroys HTML output 94/19694/2
authorPhilipp Gampe <philipp.gampe@typo3.org>
Sat, 6 Apr 2013 18:47:43 +0000 (20:47 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sat, 6 Apr 2013 20:55:41 +0000 (22:55 +0200)
If you enter HTML to update a field in e.g. TCA to write the value into
extTables.php, then the HTML will be printed into the configuration
module.
htmlspecialchar the output.

Fixes: #46999
Releases: 6.1,6.0,4.7,4.5
Change-Id: I390b4252316b8bdf01e5bbcc5a8b33833bdf73e8
Reviewed-on: https://review.typo3.org/19694
Reviewed-by: Christian Kuhn
Tested-by: Christian Kuhn
typo3/sysext/lowlevel/Classes/View/ConfigurationView.php

index feaf4de..b011368 100644 (file)
@@ -244,10 +244,25 @@ class ConfigurationView {
                                $success = \TYPO3\CMS\Core\Utility\GeneralUtility::writeFile(PATH_typo3conf . TYPO3_extTableDef_script, $extTables);
                                if ($success) {
                                        // show flash message
-                                       $flashMessage = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Messaging\\FlashMessage', '', sprintf($GLOBALS['LANG']->getLL('writeMessage', TRUE), TYPO3_extTableDef_script, '<br />', '<strong>' . nl2br($changedLine) . '</strong>'), \TYPO3\CMS\Core\Messaging\FlashMessage::OK);
+                                       $flashMessage = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(
+                                               'TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
+                                               '',
+                                               sprintf(
+                                                       $GLOBALS['LANG']->getLL('writeMessage', TRUE),
+                                                       TYPO3_extTableDef_script,
+                                                       '<br />',
+                                                       '<strong>' . nl2br(htmlspecialchars($changedLine)) . '</strong>'
+                                               ),
+                                               \TYPO3\CMS\Core\Messaging\FlashMessage::OK
+                                       );
                                } else {
                                        // Error: show flash message
-                                       $flashMessage = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Messaging\\FlashMessage', '', sprintf($GLOBALS['LANG']->getLL('writeMessageFailed', TRUE), TYPO3_extTableDef_script), \TYPO3\CMS\Core\Messaging\FlashMessage::ERROR);
+                                       $flashMessage = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(
+                                               'TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
+                                               '',
+                                               sprintf($GLOBALS['LANG']->getLL('writeMessageFailed', TRUE), TYPO3_extTableDef_script),
+                                               \TYPO3\CMS\Core\Messaging\FlashMessage::ERROR
+                                       );
                                }
                                $this->content .= $flashMessage->render();
                        }