Fixed bug #13957: XSS in template analyzer (thanks to Georg Ringer)
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:59:19 +0000 (08:59 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:59:19 +0000 (08:59 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8355 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_tsparser_ext.php
typo3/sysext/tstemplate_analyzer/class.tx_tstemplateanalyzer.php

index aca96f5..7621b07 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,7 @@
        * Fixed bug #13960: XSS in sys_action (thanks to Georg Ringer)
        * Fixed bug #13958: XSS in BE Log (thanks to Georg Ringer)
        * Fixed bug #14317: XSS in Extension Manager (thanks to Georg Ringer)
+       * Fixed bug #13957: XSS in template analyzer (thanks to Georg Ringer)
 
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
index fddf866..8a8bad7 100755 (executable)
@@ -613,7 +613,7 @@ class t3lib_tsparser_ext extends t3lib_TStemplate   {
                                $A_B='';
                                $A_E='';
                        }
-                       $HTML.=($first?'':'<IMG src="'.$GLOBALS['BACK_PATH'].'gfx/ol/'.$PM.$BTM.'.gif" width="18" height="16" align="top" border=0>').'<img ' . t3lib_iconWorks::skinImg($GLOBALS['BACK_PATH'], $icon) . ' align="top" title="'.$alttext.'" /> '.$A_B.t3lib_div::fixed_lgd_cs($row['title'],$GLOBALS['BE_USER']->uc['titleLen']).$A_E.'&nbsp;&nbsp;';
+                       $HTML .= ($first ? '' : '<img src="' . $GLOBALS['BACK_PATH'] . 'gfx/ol/' . $PM.$BTM . '.gif" width="18" height="16" align="top" border=0>') . '<img ' . t3lib_iconWorks::skinImg($GLOBALS['BACK_PATH'], $icon) . ' align="top" title="' . htmlspecialchars($alttext) . '" /> ' . $A_B . htmlspecialchars(t3lib_div::fixed_lgd_cs($row['title'], $GLOBALS['BE_USER']->uc['titleLen'])) . $A_E . '&nbsp;&nbsp;';
                        $RL = $this->ext_getRootlineNumber($row['pid']);
                        $keyArray[] = '<tr>
                                                        <td nowrap>'.$HTML.'</td>
index 567d119..1a7a45b 100644 (file)
@@ -151,13 +151,13 @@ class tx_tstemplateanalyzer extends t3lib_extobjbase {
                        reset($tmpl->clearList_const);
                        while(list($key,$val)=each($tmpl->constants))   {
                                $cVal = current($tmpl->clearList_const);
-                               if ($cVal==t3lib_div::_GET('template') || t3lib_div::_GET('template')=="all")   {
-                                       $theOutput.='
+                               if ($cVal == t3lib_div::_GET('template') || t3lib_div::_GET('template') == 'all')       {
+                                       $theOutput .= '
                                                <tr>
-                                                       <td><img src=clear.gif width=3 height=1></td><td class="bgColor2"><b>'.$tmpl->templateTitles[$cVal].'</b></td></tr>
+                                                       <td><img src="clear.gif" width="3" height="1"></td><td class="bgColor2"><b>' . htmlspecialchars($tmpl->templateTitles[$cVal]) . '</b></td></tr>
                                                <tr>
-                                                       <td><img src=clear.gif width=3 height=1></td>
-                                                       <td class="bgColor2"><table border=0 cellpadding=0 cellspacing=0 class="bgColor4" width="100%"><tr><td nowrap>'.$tmpl->ext_outputTS(array($val),$this->pObj->MOD_SETTINGS["ts_analyzer_checkLinenum"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkComments"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkCrop"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkSyntax"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkSyntaxBlockmode"]).'</td></tr></table>
+                                                       <td><img src="clear.gif" width="3" height="1"></td>
+                                                       <td class="bgColor2"><table border="0" cellpadding="0" cellspacing="0" class="bgColor4" width="100%"><tr><td nowrap="nowrap">' . $tmpl->ext_outputTS(array($val), $this->pObj->MOD_SETTINGS['ts_analyzer_checkLinenum'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkComments'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkCrop'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkSyntax'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkSyntaxBlockmode']) . '</td></tr></table>
                                                        </td>
                                                </tr>
                                        ';
@@ -187,13 +187,13 @@ class tx_tstemplateanalyzer extends t3lib_extobjbase {
                        reset($tmpl->config);
                        reset($tmpl->clearList_setup);
                        while(list($key,$val)=each($tmpl->config))      {
-                               if (current($tmpl->clearList_setup)==t3lib_div::_GET('template') || t3lib_div::_GET('template')=="all") {
+                               if (current($tmpl->clearList_setup) == t3lib_div::_GET('template') || t3lib_div::_GET('template') == 'all')     {
                                        $theOutput.='
                                                <tr>
-                                                       <td><img src=clear.gif width=3 height=1></td><td class="bgColor2"><b>'.$tmpl->templateTitles[current($tmpl->clearList_setup)].'</b></td></tr>
+                                                       <td><img src="clear.gif" width="3" height="1"></td><td class="bgColor2"><b>' . htmlspecialchars($tmpl->templateTitles[current($tmpl->clearList_setup)]) . '</b></td></tr>
                                                <tr>
                                                        <td><img src=clear.gif width=3 height=1></td>
-                                                       <td class="bgColor2"><table border=0 cellpadding=0 cellspacing=0 class="bgColor4" width="100%"><tr><td nowrap>'.$tmpl->ext_outputTS(array($val),$this->pObj->MOD_SETTINGS["ts_analyzer_checkLinenum"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkComments"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkCrop"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkSyntax"],$this->pObj->MOD_SETTINGS["ts_analyzer_checkSyntaxBlockmode"]).'</td></tr></table>
+                                                       <td class="bgColor2"><table border=0 cellpadding=0 cellspacing=0 class="bgColor4" width="100%"><tr><td nowrap="nowrap">' . $tmpl->ext_outputTS(array($val), $this->pObj->MOD_SETTINGS['ts_analyzer_checkLinenum'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkComments'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkCrop'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkSyntax'], $this->pObj->MOD_SETTINGS['ts_analyzer_checkSyntaxBlockmode']) . '</td></tr></table>
                                                        </td>
                                                </tr>
                                        ';