[SECURITY] XSS in TCA type inline 00/47600/2
authorFrank Naegler <frank.naegler@typo3.org>
Tue, 12 Apr 2016 09:10:06 +0000 (11:10 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:10:07 +0000 (11:10 +0200)
This patch fix a XSS vulnerability in TCA type inline.

Resolves: #73460
Releases: master, 7.6
Security-Commit: 8b47f10ac2543ceca5a84121feeddcf8ca17c813
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I0fc2ea99698bb8f60b971ff6fcf4d23ec592715b
Reviewed-on: https://review.typo3.org/47600
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Form/FormDataProvider/TcaRecordTitle.php
typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/TcaRecordTitleTest.php

index e5c1a0f..f53df8f 100644 (file)
@@ -127,7 +127,7 @@ class TcaRecordTitle implements FormDataProviderInterface
             }
         }
 
-        $result['recordTitle'] = implode(', ', $titles);
+        $result['recordTitle'] = htmlspecialchars(implode(', ', $titles));
         return $result;
     }
 
index 4a04aca..0338495 100644 (file)
@@ -271,6 +271,13 @@ class TcaRecordTitleTest extends UnitTestCase
                 'aValue',
                 'aValue',
             ],
+            'html is escaped' => [
+                [
+                    'type' => 'input',
+                ],
+                '<foo>',
+                '&lt;foo&gt;',
+            ],
             'date input' => [
                 [
                     'type' => 'input',