[SECURITY] Prevent XSS in IRRE elements 79/49079/2
authorNicole Cordes <typo3@cordes.co>
Tue, 19 Jul 2016 10:17:40 +0000 (12:17 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:17:45 +0000 (12:17 +0200)
This patch changes a JavaScript function to use text() instead of html()
to prevent JavaScript execution.

Resolves: #76922
Releases: master, 7.6, 6.2
Security-Commit: 252c2cb492ace6c3605772c280f65873f0c18299
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I302b0c58d8c7115b137d7c06e22ac9bdb4d6f738
Reviewed-on: https://review.typo3.org/49079
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Public/JavaScript/jsfunc.inline.js

index e5c4d1e..e863fca 100644 (file)
@@ -1133,7 +1133,7 @@ var inline = {
                        } else {
                                value = formObj.value;
                        }
                        } else {
                                value = formObj.value;
                        }
-                       TYPO3.jQuery('#' + this.escapeObjectId(objectId) + '_label').html(value.length ? value : this.noTitleString);
+                       TYPO3.jQuery('#' + this.escapeObjectId(objectId) + '_label').text(value.length ? value : this.noTitleString);
                }
                return true;
        },
                }
                return true;
        },