[BUGFIX] Add missing htmlspecialchars() or quoteJSvalue()

Change-Id: I6c088a2e5b9f870bacc7d4e425d56698baad19fb
Resolves: #63321
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/34603
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Markus Klein <klein.t3@reelworx.at>

diff --git a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
index c94ede8..af1d5c0 100644 (file)
--- a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
+++ b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
@@ -123,7 +123,7 @@ class CreateFolderController {
                        function reload(a) {    //
                                if (!changed || (changed && confirm(' . GeneralUtility::quoteJSvalue($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:mess.redraw')) . '))) {
                                        var params = "&target="+encodeURIComponent(path)+"&number="+a+"&returnUrl=' . rawurlencode($this->returnUrl) . '";
-                                       window.location.href = "' . BackendUtility::getModuleUrl('file_newfolder') . '"+params;
+                                       window.location.href = ' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('file_newfolder')) . '+params;
                                }
                        }
                        function backToList() { //

diff --git a/typo3/sysext/install/Classes/Report/InstallStatusReport.php b/typo3/sysext/install/Classes/Report/InstallStatusReport.php
index 6051676..14f9784 100644 (file)
--- a/typo3/sysext/install/Classes/Report/InstallStatusReport.php
+++ b/typo3/sysext/install/Classes/Report/InstallStatusReport.php
@@ -127,7 +127,7 @@ class InstallStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
                        $value = $GLOBALS['LANG']->getLL('status_updateIncomplete');
                        $severity = \TYPO3\CMS\Reports\Status::WARNING;
                        $url = BackendUtility::getModuleUrl('system_InstallInstall');
-                       $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_update'), '<a href="' . $url . '">', '</a>');
+                       $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.install_update'), '<a href="' . htmlspecialchars($url) . '">', '</a>');
                }
                return \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class, $GLOBALS['LANG']->sL('LLL:EXT:install/Resources/Private/Language/Report/locallang.xlf:status_remainingUpdates'), $value, $message, $severity);
        }

diff --git a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
index aebe437..d0630f5 100644 (file)
--- a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
+++ b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
@@ -1186,25 +1186,25 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
                }
                // "Move" wizard link for pages/tt_content elements:
                if ($table == 'tt_content' && $permsEdit || $table == 'pages') {
-                       $onClick = htmlspecialchars('return jumpExt(\'' . $this->backPath . 'move_el.php?table=' . $table . '&uid=' . $row['uid'] . '\');');
+                       $onClick = 'return jumpExt(\'' . $this->backPath . 'move_el.php?table=' . $table . '&uid=' . $row['uid'] . '\');';
                        $linkTitleLL = $GLOBALS['LANG']->getLL('move_' . ($table === 'tt_content' ? 'record' : 'page'), TRUE);
                        $spriteIcon = $table === 'tt_content'
                                ? IconUtility::getSpriteIcon('actions-document-move')
                                : IconUtility::getSpriteIcon('actions-page-move');
-                       $cells['move'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $linkTitleLL . '">' . $spriteIcon . '</a>';
+                       $cells['move'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $linkTitleLL . '">' . $spriteIcon . '</a>';
                }
                // If the extended control panel is enabled OR if we are seeing a single table:
                if ($GLOBALS['SOBE']->MOD_SETTINGS['bigControlPanel'] || $this->table) {
                        // "Info": (All records)
-                       $onClick = htmlspecialchars(('top.launchView(\'' . $table . '\', \'' . $row['uid'] . '\'); return false;'));
-                       $cells['viewBig'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $GLOBALS['LANG']->getLL('showInfo', TRUE) . '">'
+                       $onClick = 'top.launchView(\'' . $table . '\', \'' . $row['uid'] . '\'); return false;';
+                       $cells['viewBig'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $GLOBALS['LANG']->getLL('showInfo', TRUE) . '">'
                                . IconUtility::getSpriteIcon('actions-document-info') . '</a>';
                        // If the table is NOT a read-only table, then show these links:
                        if (!$GLOBALS['TCA'][$table]['ctrl']['readOnly']) {
                                // "Revert" link (history/undo)
                                $moduleUrl = BackendUtility::getModuleUrl('record_history', array('element' => $table . ':' . $row['uid']));
-                               $onClick = htmlspecialchars('return jumpExt(' . GeneralUtility::quoteJSvalue($this->backPath . $moduleUrl) . ',\'#latest\');');
-                               $cells['history'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="'
+                               $onClick = 'return jumpExt(' . GeneralUtility::quoteJSvalue($this->backPath . $moduleUrl) . ',\'#latest\');';
+                               $cells['history'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="'
                                        . $GLOBALS['LANG']->getLL('history', TRUE) . '">'
                                        . IconUtility::getSpriteIcon('actions-document-history-open') . '</a>';
                                // Versioning:
@@ -1216,18 +1216,18 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
                                                if (count($vers) > 1) {
                                                        $versionIcon = count($vers) - 1;
                                                }
-                                               $href = htmlspecialchars($this->backPath . BackendUtility::getModuleUrl('web_txversionM1', array(
+                                               $href = $this->backPath . BackendUtility::getModuleUrl('web_txversionM1', array(
                                                        'table' => $table, 'uid' => $row['uid']
-                                               )));
-                                               $cells['version'] = '<a class="btn" href="' . $href . '" title="'
+                                               ));
+                                               $cells['version'] = '<a class="btn" href="' . htmlspecialchars($href) . '" title="'
                                                        . $GLOBALS['LANG']->getLL('displayVersions', TRUE) . '">'
                                                        . IconUtility::getSpriteIcon(('status-version-' . $versionIcon)) . '</a>';
                                        }
                                }
                                // "Edit Perms" link:
                                if ($table === 'pages' && $GLOBALS['BE_USER']->check('modules', 'system_BeuserTxPermission') && ExtensionManagementUtility::isLoaded('beuser')) {
-                                       $href = htmlspecialchars((BackendUtility::getModuleUrl('system_BeuserTxPermission') . '&id=' . $row['uid'] . '&return_id=' . $row['uid'] . '&edit=1'));
-                                       $cells['perms'] = '<a class="btn" href="' . $href . '" title="'
+                                       $href = BackendUtility::getModuleUrl('system_BeuserTxPermission') . '&id=' . $row['uid'] . '&return_id=' . $row['uid'] . '&edit=1';
+                                       $cells['perms'] = '<a class="btn" href="' . htmlspecialchars($href) . '" title="'
                                                . $GLOBALS['LANG']->getLL('permissions', TRUE) . '">'
                                                . IconUtility::getSpriteIcon('status-status-locked') . '</a>';
                                }
@@ -1311,12 +1311,12 @@ class DatabaseRecordList extends AbstractDatabaseRecordList {
                                        );
 
                                        $params = '&cmd[' . $table . '][' . $row['uid'] . '][delete]=1';
-                                       $onClick = htmlspecialchars('if (confirm(' . $warningText . ')) {jumpToUrl(\''
-                                               . $GLOBALS['SOBE']->doc->issueCommand($params, -1) . '\');} return false;');
+                                       $onClick = 'if (confirm(' . $warningText . ')) {jumpToUrl(\''
+                                               . $GLOBALS['SOBE']->doc->issueCommand($params, -1) . '\');} return false;';
 
                                        $icon = IconUtility::getSpriteIcon('actions-edit-' . $actionName);
                                        $linkTitle = $GLOBALS['LANG']->getLL($actionName, TRUE);
-                                       $cells['delete'] = '<a class="btn" href="#" onclick="' . $onClick . '" title="' . $linkTitle . '">' . $icon . '</a>';
+                                       $cells['delete'] = '<a class="btn" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . $linkTitle . '">' . $icon . '</a>';
                                }
                                // "Levels" links: Moving pages into new levels...
                                if ($permsEdit && $table == 'pages' && !$this->searchLevels) {

diff --git a/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php b/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
index 15386d6..94b551c 100644 (file)
--- a/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
+++ b/typo3/sysext/reports/Classes/Report/Status/ConfigurationStatus.php
@@ -81,7 +81,7 @@ class ConfigurationStatus implements \TYPO3\CMS\Reports\StatusProviderInterface
                        $value = $GLOBALS['LANG']->getLL('status_empty');
                        $severity = \TYPO3\CMS\Reports\Status::WARNING;
                        $url =  \TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl('system_dbint') . '&id=0&SET[function]=refindex';
-                       $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_reference_index'), '<a href="' . $url . '">', '</a>', \TYPO3\CMS\Backend\Utility\BackendUtility::dateTime($lastRefIndexUpdate));
+                       $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_reference_index'), '<a href="' . htmlspecialchars($url) . '">', '</a>', \TYPO3\CMS\Backend\Utility\BackendUtility::dateTime($lastRefIndexUpdate));
                }
                return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class, $GLOBALS['LANG']->getLL('status_referenceIndex'), $value, $message, $severity);
        }

diff --git a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
index 905be53..6ce6e41 100644 (file)
--- a/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
+++ b/typo3/sysext/reports/Classes/Report/Status/SecurityStatus.php
@@ -78,7 +78,7 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
                                $editUserAccountUrl = 'alt_doc.php?returnUrl=' .
                                        rawurlencode(BackendUtility::getModuleUrl('system_ReportsTxreportsm1')) . '&edit[be_users][' . $row['uid'] . ']=edit';
                                $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.backend_admin'),
-                                       '<a href="' . $editUserAccountUrl . '">', '</a>');
+                                       '<a href="' . htmlspecialchars($editUserAccountUrl) . '">', '</a>');
                        }
                }
                $GLOBALS['TYPO3_DB']->sql_free_result($res);
@@ -201,7 +201,7 @@ class SecurityStatus implements \TYPO3\CMS\Reports\StatusProviderInterface {
                        $severity = \TYPO3\CMS\Reports\Status::ERROR;
                        $changeInstallToolPasswordUrl = BackendUtility::getModuleUrl('system_InstallInstall');
                        $message = sprintf($GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:warning.installtool_default_password'),
-                               '<a href="' . $changeInstallToolPasswordUrl . '">', '</a>');
+                               '<a href="' . htmlspecialchars($changeInstallToolPasswordUrl) . '">', '</a>');
                }
                return GeneralUtility::makeInstance(\TYPO3\CMS\Reports\Status::class,
                        $GLOBALS['LANG']->getLL('status_installToolPassword'), $value, $message, $severity);

diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
index e99e848..e481264 100644 (file)
--- a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
+++ b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -679,7 +679,7 @@ class SetupModuleController {
                                }
                        }
                        if (count($opt)) {
-                               $this->simulateSelector = '<select id="field_simulate" name="simulateUser" onchange="window.location.href=\'' . BackendUtility::getModuleUrl('user_setup') . '&simUser=\'+this.options[this.selectedIndex].value;"><option></option>' . implode('', $opt) . '</select>';
+                               $this->simulateSelector = '<select id="field_simulate" name="simulateUser" onchange="window.location.href=' . GeneralUtility::quoteJSvalue(BackendUtility::getModuleUrl('user_setup') . '&simUser=') . '+this.options[this.selectedIndex].value;"><option></option>' . implode('', $opt) . '</select>';
                        }
                }
                // This can only be set if the previous code was executed.

diff --git a/typo3/sysext/sys_action/Classes/ActionTask.php b/typo3/sysext/sys_action/Classes/ActionTask.php
index adf3b1d..55d0910 100644 (file)
--- a/typo3/sysext/sys_action/Classes/ActionTask.php
+++ b/typo3/sysext/sys_action/Classes/ActionTask.php
@@ -718,9 +718,10 @@ class ActionTask implements \TYPO3\CMS\Taskcenter\TaskInterface {
                                                $actionContent .= '<hr /> ' . $fullsearch->tableWrap($sql_query['qSelect']);
                                        }
                                        $actionContent .= '<br /><a title="' . $GLOBALS['LANG']->getLL('action_editQuery') . '" href="'
-                                               . BackendUtility::getModuleUrl('system_dbint')
-                                               . '&id=' . '&SET[function]=search' . '&SET[search]=query'
-                                               . '&storeControl[STORE]=-' . $record['uid'] . '&storeControl[LOAD]=1' . '">
+                                               . htmlspecialchars(BackendUtility::getModuleUrl('system_dbint')
+                                                       . '&id=' . '&SET[function]=search' . '&SET[search]=query'
+                                                       . '&storeControl[STORE]=-' . $record['uid'] . '&storeControl[LOAD]=1')
+                                               . '">
                                                <img class="icon"' . \TYPO3\CMS\Backend\Utility\IconUtility::skinImg($GLOBALS['BACK_PATH'],
                                                'gfx/edit2.gif') . ' alt="" />' . $GLOBALS['LANG']->getLL(($queryIsEmpty ? 'action_createQuery'
                                                : 'action_editQuery')) . '</a><br /><br />';

diff --git a/typo3/sysext/version/Classes/Controller/VersionModuleController.php b/typo3/sysext/version/Classes/Controller/VersionModuleController.php
index ba79c40..b88eb73 100644 (file)
--- a/typo3/sysext/version/Classes/Controller/VersionModuleController.php
+++ b/typo3/sysext/version/Classes/Controller/VersionModuleController.php
@@ -424,7 +424,7 @@ class VersionModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClass
                                                        <td>' . $this->adminLinks($tN, $subrow) . '</td>
                                                        <td>' . $subrow['uid'] . '</td>
                                                        ' . ($ownVer > 1 ? '<td style="font-weight: bold; background-color: yellow;"><a href="' .
-                                                       BackendUtility::getModuleUrl('web_txversionM1', array('table' => $tN, 'uid' => $subrow['uid'])) .
+                                                       htmlspecialchars(BackendUtility::getModuleUrl('web_txversionM1', array('table' => $tN, 'uid' => $subrow['uid']))) .
                                                        '">' . ($ownVer - 1) . '</a></td>' : '<td></td>') . '
                                                        <td width="98%">' . BackendUtility::getRecordTitle($tN, $subrow, TRUE) . '</td>
                                                </tr>';