[SECURITY] XSS in form extension 95/46695/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 16 Feb 2016 10:43:40 +0000 (11:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 16 Feb 2016 10:44:03 +0000 (11:44 +0100)
Resolves: #54205
Releases: 6.2
Security-Commit: 8d990b6db4deb63241f3d70a78dff0039094c98a
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: Id50b00b6bfc2fcf8461ac32285ee9d4b6d15ca3f
Reviewed-on: https://review.typo3.org/46695
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/form/Classes/View/Confirmation/Additional/AdditionalElementView.php
typo3/sysext/form/Classes/View/Confirmation/Element/AbstractElementView.php
typo3/sysext/form/Classes/View/Mail/Html/Element/AbstractElementView.php

index 09f182d..07d3d54 100644 (file)
@@ -43,7 +43,10 @@ class AdditionalElementView extends \TYPO3\CMS\Form\View\Confirmation\Element\Ab
         * @return string The value of the additional
         */
        public function getAdditionalValue() {
-               return htmlspecialchars($this->model->getAdditionalValue(\TYPO3\CMS\Form\Utility\FormUtility::getInstance()->getLastPartOfClassName($this, TRUE)));
+               return htmlspecialchars(
+                       $this->model->getAdditionalValue(\TYPO3\CMS\Form\Utility\FormUtility::getInstance()->getLastPartOfClassName($this, TRUE)),
+                       ENT_QUOTES
+               );
        }
 
 }
index 51ffd3b..c7f4195 100644 (file)
@@ -235,7 +235,7 @@ abstract class AbstractElementView {
                $attributes = $this->model->getAttributes();
                foreach ($attributes as $key => $attribute) {
                        if (!empty($attribute)) {
-                               $value = $attribute->getValue();
+                               $value = htmlspecialchars($attribute->getValue(), ENT_QUOTES);
                                if ($value !== '') {
                                        $domElement->setAttribute($key, $value);
                                }
@@ -251,7 +251,7 @@ abstract class AbstractElementView {
         * @return void
         */
        public function setAttribute(\DOMElement $domElement, $key) {
-               $attribute = $this->model->getAttributeValue((string) $key);
+               $attribute = htmlspecialchars($this->model->getAttributeValue((string) $key), ENT_QUOTES);
                if (!empty($attribute)) {
                        $domElement->setAttribute($key, $attribute);
                }
@@ -267,7 +267,7 @@ abstract class AbstractElementView {
         * @return unknown_type
         */
        public function setAttributeWithValueofOtherAttribute(\DOMElement $domElement, $key, $other) {
-               $attribute = $this->model->getAttributeValue((string) $other);
+               $attribute = htmlspecialchars($this->model->getAttributeValue((string) $other), ENT_QUOTES);
                if (!empty($attribute)) {
                        $domElement->setAttribute($key, $attribute);
                }
@@ -301,10 +301,12 @@ abstract class AbstractElementView {
         */
        public function getInputValue() {
                if (method_exists($this->model, 'getData')) {
-                       $inputValue = nl2br($this->model->getData(), TRUE);
+                       $inputValue = $this->model->getData();
                } else {
                        $inputValue = $this->model->getAttributeValue('value');
                }
+               $inputValue = htmlspecialchars($inputValue, ENT_QUOTES);
+               $inputValue = nl2br($inputValue, TRUE);
                return $inputValue;
        }
 
index 1635f3d..cbd5207 100644 (file)
@@ -100,7 +100,7 @@ abstract class AbstractElementView {
                                                                if ($this->model->additionalIsSet($nodeName)) {
                                                                        $this->replaceNodeWithFragment($dom, $node, $this->getAdditional('label'));
                                                                } else {
-                                                                       $replaceNode = $dom->createTextNode($this->model->getName());
+                                                                       $replaceNode = $dom->createTextNode(htmlspecialchars($this->model->getName()));
                                                                        $node->parentNode->insertBefore($replaceNode, $node);
                                                                }
                                                                $deleteNode = TRUE;