[SECURITY] XSS in Filelist 06/40806/2
authorMarkus Bucher <markusbucher@gmx.de>
Tue, 3 Jun 2014 06:06:05 +0000 (08:06 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:09:39 +0000 (16:09 +0200)
Properly escape user input when showing error messages
during file renaming.

Resolves: #59211
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: Iffafad7282445d51fa244f3b31e6886b0b0f65b6
Reviewed-on: http://review.typo3.org/40806
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php

index 726ddde..f9e4f58 100644 (file)
@@ -275,7 +275,7 @@ class ExtendedFileUtility extends BasicFileUtility {
                foreach ($this->getErrorMessages() as $msg) {
                        $flashMessage = GeneralUtility::makeInstance(
                                FlashMessage::class,
-                               $msg,
+                               htmlspecialchars($msg),
                                '',
                                FlashMessage::ERROR,
                                TRUE