[SECURITY] XSS for extension meta data in About module
authorOliver Klee <typo3-coding@oliverklee.de>
Wed, 28 Mar 2012 11:54:34 +0000 (13:54 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:54:37 +0000 (13:54 +0200)
Change-Id: I139ab25d50f348341cc0feb3ee358337c2500420
Releases: 6.0, 4.7, 4.6, 4.5, 4.4
Fixes: #30969
Security-Commit: 161de99c2dddb19263477b316c437985484bcd38
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10010
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/about/mod/index.php

index b6a79b3..31e4ae8 100644 (file)
@@ -168,8 +168,10 @@ class SC_mod_help_about_index {
 
                                $emconf = $EM_CONF['']; // ext key is not set when loading the ext_emconf.php directly
 
-                               $content.= '<tr><td>'.$emconf['title'].' ('.$extensionKey.')</td>'.
-                                                               '<td><a href="mailto:'.$emconf['author_email'].'?subject='.rawurlencode('Thanks for your '.$emconf['title'].' extension').'">'.$emconf['author'].'</a></td></tr>';
+                               $content.= '<tr><td>' . htmlspecialchars($emconf['title']) . ' (' . htmlspecialchars($extensionKey) . ')</td>' .
+                                       '<td><a href="mailto:' . htmlspecialchars($emconf['author_email']) . '?subject=' .
+                                       htmlspecialchars(rawurlencode('Thanks for your ' . $emconf['title'] . ' extension')) . '">' .
+                                       htmlspecialchars($emconf['author']) . '</a></td></tr>';
                        }
                }