[BUGFIX] XSS in Recycler
authorSteffen Gebert <steffen.gebert@typo3.org>
Wed, 27 Jul 2011 10:29:20 +0000 (12:29 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:30:37 +0000 (12:30 +0200)
Change-Id: I2ffdede462ae161f797a6dbeb3198b65b7d4f212
Resolves: #24519
Reviewed-on: http://review.typo3.org/3755
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/recycler/classes/helper/class.tx_recycler_helper.php
typo3/sysext/recycler/classes/view/class.tx_recycler_view_deletedRecords.php

index c8c4bcb..b7fe8bc 100644 (file)
@@ -118,13 +118,13 @@ class tx_recycler_helper {
                                                $output = ' [#VEP#]' . $output;         // Adding visual token - Versioning Entry Point - that tells that THIS position was where the versionized branch got connected to the main tree. I will have to find a better name or something...
                                        }
                                        $uid = $row['pid'];
-                                       $output = '/' . t3lib_div::fixed_lgd_cs(strip_tags($row['title']), $titleLimit) . $output;
+                                       $output = '/' . htmlspecialchars(t3lib_div::fixed_lgd_cs($row['title']), $titleLimit) . $output;
 
                                        if ($row['deleted']) {
                                                $output = '<span class="deletedPath">' . $output . '</span>';
                                        }
 
-                                       if ($fullTitleLimit) $fullOutput = '/' . t3lib_div::fixed_lgd_cs(strip_tags($row['title']), $fullTitleLimit) . $fullOutput;
+                                       if ($fullTitleLimit) $fullOutput = '/' . htmlspecialchars(t3lib_div::fixed_lgd_cs($row['title']), $fullTitleLimit) . $fullOutput;
                                } else {
                                        break;
                                }
index 4e935ca..7f45eb7 100644 (file)
@@ -62,14 +62,14 @@ class tx_recycler_view_deletedRecords {
                                                'table' => $table,
                                                'crdate' => date($GLOBALS['TYPO3_CONF_VARS']['SYS']['ddmmyy'] . ' ' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['hhmm'], $row[$GLOBALS['TCA'][$table]['ctrl']['crdate']]),
                                                'tstamp' => date($GLOBALS['TYPO3_CONF_VARS']['SYS']['ddmmyy'] . ' ' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['hhmm'], $row[$GLOBALS['TCA'][$table]['ctrl']['tstamp']]),
-                                               'owner' => $feuser['username'],
+                                               'owner' => htmlspecialchars($feuser['username']),
                                                'owner_uid' => $row[$GLOBALS['TCA'][$table]['ctrl']['cruser_id']],
                                                'tableTitle' => tx_recycler_helper::getUtf8String(
                                                        $GLOBALS['LANG']->sL($GLOBALS['TCA'][$table]['ctrl']['title'])
                                                ),
-                                               'title' => tx_recycler_helper::getUtf8String(
+                                               'title' => htmlspecialchars(tx_recycler_helper::getUtf8String(
                                                        t3lib_BEfunc::getRecordTitle($table, $row)
-                                               ),
+                                               )),
                                                'path'  => tx_recycler_helper::getRecordPath($row['pid']),
                                        );
                                }