[SECURITY] XSS in Filelist 20/40820/2
authorMarkus Bucher <markusbucher@gmx.de>
Tue, 3 Jun 2014 06:06:05 +0000 (08:06 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:20:41 +0000 (16:20 +0200)
Properly escape user input when showing error messages
during file renaming.

Resolves: #59211
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: I59c847e3ee1a5d5c2633cad9e3ce51b290dd1c22
Reviewed-on: http://review.typo3.org/40820
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php

index 5ae3ddd..a073c69 100644 (file)
@@ -302,7 +302,7 @@ class ExtendedFileUtility extends \TYPO3\CMS\Core\Utility\File\BasicFileUtility
                foreach ($this->getErrorMessages() as $msg) {
                        $flashMessage = GeneralUtility::makeInstance(
                                'TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
-                               $msg,
+                               htmlspecialchars($msg),
                                '',
                                \TYPO3\CMS\Core\Messaging\FlashMessage::ERROR,
                                TRUE