[SECURITY] Prevent XSS in IRRE elements 66/49066/2
authorNicole Cordes <typo3@cordes.co>
Tue, 19 Jul 2016 10:16:00 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:03 +0000 (12:16 +0200)
This patch changes a JavaScript function to use text() instead of html()
to prevent JavaScript execution.

Resolves: #76922
Releases: master, 7.6, 6.2
Security-Commit: d7a59c7dfeb86948f229b6530bdf283178e9ca06
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I6ac713596831ccbb69dc2930357dbdf4603b8baa
Reviewed-on: https://review.typo3.org/49066
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Public/JavaScript/jsfunc.inline.js

index e5c4d1e..e863fca 100644 (file)
@@ -1133,7 +1133,7 @@ var inline = {
                        } else {
                                value = formObj.value;
                        }
-                       TYPO3.jQuery('#' + this.escapeObjectId(objectId) + '_label').html(value.length ? value : this.noTitleString);
+                       TYPO3.jQuery('#' + this.escapeObjectId(objectId) + '_label').text(value.length ? value : this.noTitleString);
                }
                return true;
        },