[SECURITY] XSS through WS comments 66/45266/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 15 Dec 2015 10:34:02 +0000 (11:34 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:34:08 +0000 (11:34 +0100)
Resolves: #25227
Releases: master, 6.2
Security-Commit: f87f24a062c9443c571563eb443486190da12fb4
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: Ia57f5ed9110f6915118387b6315252001e1e44e6
Reviewed-on: https://review.typo3.org/45266
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/workspaces/Classes/ExtDirect/ExtDirectServer.php

index 1cd5024..bfff15a 100644 (file)
@@ -195,15 +195,18 @@ class ExtDirectServer extends \TYPO3\CMS\Workspaces\ExtDirect\AbstractHandler {
                        'total' => 1,
                        'data' => array(
                                array(
+                                       // these parts contain HTML (don't escape)
                                        'diff' => $diffReturnArray,
                                        'live_record' => $liveReturnArray,
-                                       'path_Live' => $parameter->path_Live,
-                                       'label_Stage' => $parameter->label_Stage,
-                                       'stage_position' => $stagePosition['position'],
-                                       'stage_count' => $stagePosition['count'],
-                                       'comments' => $commentsForRecord,
                                        'icon_Live' => $icon_Live,
-                                       'icon_Workspace' => $icon_Workspace
+                                       'icon_Workspace' => $icon_Workspace,
+                                       // this part is already escaped in getCommentsForRecord()
+                                       'comments' => $commentsForRecord,
+                                       // escape/santinize the others
+                                       'path_Live' => htmlspecialchars($parameter->path_Live),
+                                       'label_Stage' => htmlspecialchars($parameter->label_Stage),
+                                       'stage_position' => (int)$stagePosition['position'],
+                                       'stage_count' => (int)$stagePosition['count']
                                )
                        )
                );