Fixed bug #13958: XSS in BE Log (thanks to Georg Ringer)

author Oliver Hader <oliver.hader@typo3.org>

Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)

committer Oliver Hader <oliver.hader@typo3.org>

Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)
author Oliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)
committer Oliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)
diff --git a/ChangeLog b/ChangeLog

index 0598df3..e23b9a9 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,7 @@
         * Fixed bug #14950: XSS in t3editor (thanks to Tobias Liebig)
         * Fixed bug #14850: Information disclosure in t3lib_htmlmail (thanks to Georg Ringer)
         * Fixed bug #13961: XSS in impexp (thanks to Georg Ringer)
+       * Fixed bug #13958: XSS in BE Log (thanks to Georg Ringer)
  
  2010-07-27  Steffen Kamper  <steffen@typo3.org>
  
diff --git a/t3lib/class.t3lib_bedisplaylog.php b/t3lib/class.t3lib_bedisplaylog.php

index 757f44a..ea509cb 100644 (file)
--- a/t3lib/class.t3lib_bedisplaylog.php
+++ b/t3lib/class.t3lib_bedisplaylog.php
@@ -204,6 +204,7 @@ class t3lib_BEDisplayLog {
                                 $text = str_replace('%s','',$text);
                         }
                 }
+               $text = htmlspecialchars($text);
  
                         // Finding the history for the record
                 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid,fieldlist', 'sys_history', 'sys_log_uid='.intval($sys_log_uid));
author	Oliver Hader <oliver.hader@typo3.org>
	Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)
committer	Oliver Hader <oliver.hader@typo3.org>
	Wed, 28 Jul 2010 08:58:08 +0000 (08:58 +0000)
ChangeLog		patch \| blob \| history
t3lib/class.t3lib_bedisplaylog.php		patch \| blob \| history