[SECURITY] XSS in TCA Tree
authorOliver Hader <oliver@typo3.org>
Thu, 8 Nov 2012 11:43:56 +0000 (12:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 8 Nov 2012 11:43:59 +0000 (12:43 +0100)
Properly html encode the label of tree nodes.

Fixes: #42774
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: I07bdff99b6f46535f376d518d459f0ebe6fd41ee
Security-Commit: 761f80c1cf733d44e9f02cbecb55d42dc1d741b2
Security-Bulletin: TYPO3-CORE-SA-2012-005
Reviewed-on: http://review.typo3.org/16297
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/tree/renderer/class.t3lib_tree_renderer_extjsjson.php
t3lib/tree/renderer/class.t3lib_tree_renderer_unorderedlist.php

index cc8711f..47343e0 100644 (file)
@@ -75,6 +75,12 @@ class t3lib_tree_Renderer_ExtJsJson extends t3lib_tree_Renderer_Abstract {
                        'uid' => $node->getId()
                );
 
+               foreach ($nodeArray as &$nodeItem) {
+                       if (is_string($nodeItem)) {
+                               $nodeItem = htmlspecialchars($nodeItem);
+                       }
+               }
+
                return $nodeArray;
        }
 
index 90f5a62..9902ea9 100644 (file)
@@ -48,7 +48,7 @@ class t3lib_tree_Renderer_UnorderedList extends t3lib_tree_Renderer_Abstract {
         * @return mixed
         */
        public function renderNode(t3lib_tree_RepresentationNode $node, $recursive = TRUE) {
-               $code = '<li><span class="' . $node->getIcon() . '">&nbsp;</span>' . $node->getLabel();
+               $code = '<li><span class="' . htmlspecialchars($node->getIcon()) . '">&nbsp;</span>' . htmlspecialchars($node->getLabel());
                if ($recursive && $node->getChildNodes() !== NULL) {
                        $this->recursionLevel++;
                        $code .= $this->renderNodeCollection($node->getChildNodes());