[SECURITY] XSS in TCE forms
authorChristian Kuhn <lolli@schwarzbu.ch>
Wed, 15 Aug 2012 10:17:48 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:17:51 +0000 (12:17 +0200)
Properly encode field labels that are set via TSConfig.

Fixes: #25356
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: Ic41ce41cf8babd27867e71764173cf4e6524843e
Security-Commit: efdf638fa6f2971d62195aa40137e19a89884a2b
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13741
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tceforms.php
t3lib/class.t3lib_tceforms_inline.php
t3lib/tceforms/class.t3lib_tceforms_flexforms.php

index 9addb94..aae266b 100644 (file)
@@ -1539,7 +1539,7 @@ class t3lib_TCEforms {
                        if (in_array($p[1], $removeItems) || $languageDeny || $authModeDeny) {
                                unset($selItems[$tk]);
                        } elseif (isset($PA['fieldTSConfig']['altLabels.'][$p[1]])) {
-                               $selItems[$tk][0] = $this->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]);
+                               $selItems[$tk][0] = htmlspecialchars($this->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]));
                        }
 
                                // Removing doktypes with no access:
index 1f653fc..0ecdf8c 100644 (file)
@@ -1636,7 +1636,7 @@ class t3lib_TCEforms_inline {
                                if (in_array($p[1], $removeItems) || $languageDeny || $authModeDeny) {
                                        unset($selItems[$tk]);
                                } elseif (isset($PA['fieldTSConfig']['altLabels.'][$p[1]])) {
-                                       $selItems[$tk][0] = $this->fObj->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]);
+                                       $selItems[$tk][0] = htmlspecialchars($this->fObj->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]));
                                }
 
                                        // Removing doktypes with no access:
index 98a4b1d..ebbeac0 100644 (file)
@@ -273,7 +273,7 @@ class t3lib_TCEforms_Flexforms extends t3lib_TCEforms {
                                                // Rename
                                        foreach ($renameItems as $renameKey => $renameValue) {
                                                if (strcasecmp($renameKey, $itemConf[1]) == 0) {
-                                                       $selItems[$itemKey][0] = $renameValue;
+                                                       $selItems[$itemKey][0] = htmlspecialchars($renameValue);
                                                        unset($renameItems[$renameKey]);
                                                }
                                        }