[BUGFIX] Prevent XSS in PageLayoutController 34/53734/2
authorWouter Wolters <typo3@wouterwolters.nl>
Thu, 17 Aug 2017 11:32:01 +0000 (13:32 +0200)
committerAndreas Fernandez <typo3@scripting-base.de>
Fri, 18 Aug 2017 13:39:53 +0000 (15:39 +0200)
Correctly use htmlspecialchars for the link.

Resolves: #82077
Releases: master,8.7,7.6
Change-Id: I87ea4010aa187f5f601c31423fb1a0fc05a23107
Reviewed-on: https://review.typo3.org/53734
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
typo3/sysext/backend/Classes/Controller/PageLayoutController.php

index 5183203..d4d5cb0 100644 (file)
@@ -521,7 +521,7 @@ class PageLayoutController
             $contentPage = BackendUtility::getRecord('pages', (int)$this->pageinfo['content_from_pid']);
             $linkToPid = $this->local_linkThisScript(['id' => $this->pageinfo['content_from_pid']]);
             $title = BackendUtility::getRecordTitle('pages', $contentPage);
-            $link = '<a href="' . $linkToPid . '">' . htmlspecialchars($title) . ' (PID ' . (int)$this->pageinfo['content_from_pid'] . ')</a>';
+            $link = '<a href="' . htmlspecialchars($linkToPid) . '">' . htmlspecialchars($title) . ' (PID ' . (int)$this->pageinfo['content_from_pid'] . ')</a>';
             $message = sprintf($lang->getLL('content_from_pid_title'), $link);
             $view = GeneralUtility::makeInstance(StandaloneView::class);
             $view->setTemplatePathAndFilename(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/InfoBox.html'));