[SECURITY] XSS in belog module 23/45523/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Wed, 30 Dec 2015 17:17:06 +0000 (18:17 +0100)
committerMorton Jonuschat <m.jonuschat@mojocode.de>
Wed, 30 Dec 2015 17:29:03 +0000 (18:29 +0100)
The username of a backend user and title of a workspace record
miss accordant escaping if being rendered in the belog module.

Since this has only impact on admin users in the backend, the
fix is handled in public instead of a security release.

Resolves: #72475
Releases: master, 7.6, 6.2
Change-Id: Ib165f8ef849a641984fc5fb834b30983f7b63a54
(cherry picked from commit 056323e9141c9028d07c1e12543584e03b5f0c9e)
Reviewed-on: https://review.typo3.org/45523
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
typo3/sysext/belog/Classes/ViewHelpers/UsernameViewHelper.php
typo3/sysext/belog/Classes/ViewHelpers/WorkspaceTitleViewHelper.php

index 71b5903..f2671ed 100644 (file)
@@ -42,14 +42,14 @@ class UsernameViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHe
         */
        public function render($uid) {
                if (isset(static::$usernameRuntimeCache[$uid])) {
-                       return static::$usernameRuntimeCache[$uid];
+                       return htmlspecialchars(static::$usernameRuntimeCache[$uid]);
                }
 
                /** @var $user \TYPO3\CMS\Extbase\Domain\Model\BackendUser */
                $user = $this->backendUserRepository->findByUid($uid);
                // $user may be NULL if user was deleted from DB, set it to empty string to always return a string
                static::$usernameRuntimeCache[$uid] = ($user === NULL) ? '' : $user->getUserName();
-               return static::$usernameRuntimeCache[$uid];
+               return htmlspecialchars(static::$usernameRuntimeCache[$uid]);
        }
 
 }
index ca8eb40..fdef544 100644 (file)
@@ -42,7 +42,7 @@ class WorkspaceTitleViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\Abstract
         */
        public function render($uid) {
                if (isset(static::$workspaceTitleRuntimeCache[$uid])) {
-                       return static::$workspaceTitleRuntimeCache[$uid];
+                       return htmlspecialchars(static::$workspaceTitleRuntimeCache[$uid]);
                }
 
                if ($uid === 0) {
@@ -56,7 +56,7 @@ class WorkspaceTitleViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\Abstract
                        static::$workspaceTitleRuntimeCache[$uid] = ($workspace === NULL) ? '' : $workspace->getTitle();
                }
 
-               return static::$workspaceTitleRuntimeCache[$uid];
+               return htmlspecialchars(static::$workspaceTitleRuntimeCache[$uid]);
        }
 
 }