[SECURITY] XSS in TCA Tree
authorOliver Hader <oliver@typo3.org>
Thu, 8 Nov 2012 11:44:51 +0000 (12:44 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 8 Nov 2012 11:44:54 +0000 (12:44 +0100)
Properly html encode the label of tree nodes.

Fixes: #42774
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: I56b823bdd7ac8f4e8d533604cc91eb99e3bcd808
Security-Commit: b1b0b68d026795d04721f73c436eab2de72285d9
Security-Bulletin: TYPO3-CORE-SA-2012-005
Reviewed-on: http://review.typo3.org/16306
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Tree/Renderer/ExtJsJsonTreeRenderer.php
typo3/sysext/backend/Classes/Tree/Renderer/UnorderedListTreeRenderer.php

index 626a564..8f49462 100644 (file)
@@ -76,6 +76,13 @@ class ExtJsJsonTreeRenderer extends \TYPO3\CMS\Backend\Tree\Renderer\AbstractTre
                        'id' => $node->getId(),
                        'uid' => $node->getId()
                );
+
+               foreach ($nodeArray as &$nodeItem) {
+                       if (is_string($nodeItem)) {
+                               $nodeItem = htmlspecialchars($nodeItem);
+                       }
+               }
+
                return $nodeArray;
        }
 
index 6d6276a..35c99d0 100644 (file)
@@ -50,7 +50,7 @@ class UnorderedListTreeRenderer extends \TYPO3\CMS\Backend\Tree\Renderer\Abstrac
         * @return string
         */
        public function renderNode(\TYPO3\CMS\Backend\Tree\TreeRepresentationNode $node, $recursive = TRUE) {
-               $code = '<li><span class="' . $node->getIcon() . '">&nbsp;</span>' . $node->getLabel();
+               $code = '<li><span class="' . htmlspecialchars($node->getIcon()) . '">&nbsp;</span>' . htmlspecialchars($node->getLabel());
                if ($recursive && $node->getChildNodes() !== NULL) {
                        $this->recursionLevel++;
                        $code .= $this->renderNodeCollection($node->getChildNodes());