[SECURITY] XSS in TCE forms
authorChristian Kuhn <lolli@schwarzbu.ch>
Wed, 15 Aug 2012 10:18:56 +0000 (12:18 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:19:00 +0000 (12:19 +0200)
Properly encode field labels that are set via TSConfig.

Fixes: #25356
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: I23fc1de4ceeab54e1d3d97bc27870a0c070b6038
Security-Commit: 8ddba7927a643e94b491cafd5f348551fdea84ca
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13751
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tceforms.php
t3lib/class.t3lib_tceforms_inline.php
t3lib/tceforms/class.t3lib_tceforms_flexforms.php

index d39f9e4..85c086b 100644 (file)
@@ -1412,7 +1412,7 @@ class t3lib_TCEforms {
                        if (in_array($p[1], $removeItems) || $languageDeny || $authModeDeny) {
                                unset($selItems[$tk]);
                        } elseif (isset($PA['fieldTSConfig']['altLabels.'][$p[1]])) {
-                               $selItems[$tk][0] = $this->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]);
+                               $selItems[$tk][0] = htmlspecialchars($this->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]));
                        }
 
                                // Removing doktypes with no access:
index 76a2a97..36a4189 100644 (file)
@@ -1544,7 +1544,7 @@ class t3lib_TCEforms_inline {
                                if (in_array($p[1], $removeItems) || $languageDeny || $authModeDeny) {
                                        unset($selItems[$tk]);
                                } elseif (isset($PA['fieldTSConfig']['altLabels.'][$p[1]])) {
-                                       $selItems[$tk][0] = $this->fObj->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]);
+                                       $selItems[$tk][0] = htmlspecialchars($this->fObj->sL($PA['fieldTSConfig']['altLabels.'][$p[1]]));
                                }
 
                                        // Removing doktypes with no access:
index 98a4b1d..ebbeac0 100644 (file)
@@ -273,7 +273,7 @@ class t3lib_TCEforms_Flexforms extends t3lib_TCEforms {
                                                // Rename
                                        foreach ($renameItems as $renameKey => $renameValue) {
                                                if (strcasecmp($renameKey, $itemConf[1]) == 0) {
-                                                       $selItems[$itemKey][0] = $renameValue;
+                                                       $selItems[$itemKey][0] = htmlspecialchars($renameValue);
                                                        unset($renameItems[$renameKey]);
                                                }
                                        }