[SECURITY] XSS in TCA Tree
authorOliver Hader <oliver@typo3.org>
Thu, 8 Nov 2012 11:44:14 +0000 (12:44 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 8 Nov 2012 11:44:17 +0000 (12:44 +0100)
Properly html encode the label of tree nodes.

Fixes: #42774
Releases: 6.0, 4.7, 4.6, 4.5

Change-Id: I59773eb475d0736933a17b3151c998a7e3c528b7
Security-Commit: 04a1bd7b4f131c9e31c39ee63e6ccaf4932dbd8f
Security-Bulletin: TYPO3-CORE-SA-2012-005
Reviewed-on: http://review.typo3.org/16300
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/tree/renderer/class.t3lib_tree_renderer_extjsjson.php
t3lib/tree/renderer/class.t3lib_tree_renderer_unorderedlist.php

index cc8711f..47343e0 100644 (file)
@@ -75,6 +75,12 @@ class t3lib_tree_Renderer_ExtJsJson extends t3lib_tree_Renderer_Abstract {
                        'uid' => $node->getId()
                );
 
+               foreach ($nodeArray as &$nodeItem) {
+                       if (is_string($nodeItem)) {
+                               $nodeItem = htmlspecialchars($nodeItem);
+                       }
+               }
+
                return $nodeArray;
        }
 
index 90f5a62..9902ea9 100644 (file)
@@ -48,7 +48,7 @@ class t3lib_tree_Renderer_UnorderedList extends t3lib_tree_Renderer_Abstract {
         * @return mixed
         */
        public function renderNode(t3lib_tree_RepresentationNode $node, $recursive = TRUE) {
-               $code = '<li><span class="' . $node->getIcon() . '">&nbsp;</span>' . $node->getLabel();
+               $code = '<li><span class="' . htmlspecialchars($node->getIcon()) . '">&nbsp;</span>' . htmlspecialchars($node->getLabel());
                if ($recursive && $node->getChildNodes() !== NULL) {
                        $this->recursionLevel++;
                        $code .= $this->renderNodeCollection($node->getChildNodes());