[BUGFIX] Prevent XSS in scheduler extension 20/53720/2
authorWouter Wolters <typo3@wouterwolters.nl>
Thu, 17 Aug 2017 11:37:20 +0000 (13:37 +0200)
committerFrank Naegler <frank.naegler@typo3.org>
Fri, 18 Aug 2017 13:45:43 +0000 (15:45 +0200)
Releases: master,8.7,7.6
Resolves: #82079
Change-Id: I21a6ebcff4ebd0c6f2d2c83e0aa6d9e2c03d32d9
Reviewed-on: https://review.typo3.org/53720
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
typo3/sysext/scheduler/Classes/Controller/SchedulerModuleController.php

index 3278565..99b2d1b 100644 (file)
@@ -731,8 +731,8 @@ class SchedulerModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClas
                 . $label
                 . '<div class="form-control-wrap">'
                     . '<div class="input-group" id="tceforms-datetimefield-task_start_row-wrapper">'
-                        . '<input name="tx_scheduler[start]_hr" value="' . $value . '" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row">'
-                        . '<input name="tx_scheduler[start]" value="' . $taskInfo['start'] . '" type="hidden">'
+                        . '<input name="tx_scheduler[start]_hr" value="' . htmlspecialchars($value) . '" class="form-control t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_start_row">'
+                        . '<input name="tx_scheduler[start]" value="' . htmlspecialchars($taskInfo['start']) . '" type="hidden">'
                         . '<span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_start_row"><span class="fa fa-calendar"></span></label></span>'
                     . '</div>'
                 . '</div>'
@@ -747,8 +747,8 @@ class SchedulerModuleController extends \TYPO3\CMS\Backend\Module\BaseScriptClas
                 . BackendUtility::wrapInHelp($this->cshKey, 'task_end', $label)
                 . '<div class="form-control-wrap">'
                     . '<div class="input-group" id="tceforms-datetimefield-task_end_row-wrapper">'
-                        . '<input name="tx_scheduler[end]_hr" value="' . $value . '" class="form-control  t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row">'
-                        . '<input name="tx_scheduler[end]" value="' . $taskInfo['end'] . '" type="hidden">'
+                        . '<input name="tx_scheduler[end]_hr" value="' . htmlspecialchars($value) . '" class="form-control  t3js-datetimepicker t3js-clearable" data-date-type="datetime" type="text" id="tceforms-datetimefield-task_end_row">'
+                        . '<input name="tx_scheduler[end]" value="' . htmlspecialchars($taskInfo['end']) . '" type="hidden">'
                         . '<span class="input-group-btn"><label class="btn btn-default" for="tceforms-datetimefield-task_end_row"><span class="fa fa-calendar"></span></label></span>'
                     . '</div>'
                 . '</div>'