[BUGFIX] Double escape of title in indexed search 49/27849/3
authorMarkus Klein <klein.t3@mfc-linz.at>
Tue, 25 Feb 2014 17:08:56 +0000 (18:08 +0100)
committerWouter Wolters <typo3@wouterwolters.nl>
Mon, 3 Mar 2014 18:45:28 +0000 (19:45 +0100)
SearchController::compileSingleResultRow() causes double
htmlspecialchars() call on $title.

This patch removes the general htmlspecialchars() call since
$title will be escaped in linkPage() anyway.
The only place which requires escaping has the call added now.

Resolves: #56262
Releases: 6.2, 6.1, 6.0
Change-Id: Ic94fe7fe7d2145fc539adcdf21faf42c33f5b32e
Reviewed-on: https://review.typo3.org/27849
Reviewed-by: Stefan Neufeind
Reviewed-by: Dragan Tomic
Tested-by: Dragan Tomic
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
typo3/sysext/indexed_search/Classes/Controller/SearchController.php

index b5b30bb..a820a47 100644 (file)
@@ -349,7 +349,6 @@ class SearchController extends \TYPO3\CMS\Extbase\Mvc\Controller\ActionControlle
                        }
                }
                $title = $resultData['item_title'] . $resultData['titleaddition'];
-               $title = htmlspecialchars($title);
                // If external media, link to the media-file instead.
                if ($row['item_type']) {
                        if ($row['show_resume']) {
@@ -358,7 +357,7 @@ class SearchController extends \TYPO3\CMS\Extbase\Mvc\Controller\ActionControlle
                                if ($GLOBALS['TSFE']->config['config']['fileTarget']) {
                                        $targetAttribute = ' target="' . htmlspecialchars($GLOBALS['TSFE']->config['config']['fileTarget']) . '"';
                                }
-                               $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . $title . '</a>';
+                               $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . htmlspecialchars($title) . '</a>';
                        } else {
                                // Suspicious, so linking to page instead...
                                $copiedRow = $row;