[BUGFIX] Label in list view is not escaped 17/13817/7
authorNicole Cordes <typo3@cordes.co>
Fri, 5 Apr 2013 20:15:24 +0000 (22:15 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Sun, 5 May 2013 11:30:41 +0000 (13:30 +0200)
The label of a field in the list view is not escaped,
as the itemLabel function is broken, through the
third parameter which cannot be HSCed afterwards
if it contains HTML.

Change-Id: I5adcf0ce97dd9f5e8fd9546b367f55f1ac0c532e
Fixes: #29409
Releases: 6.2, 6.1, 6.0
Reviewed-on: https://review.typo3.org/13817
Reviewed-by: Philipp Gampe
Tested-by: Philipp Gampe
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php

index 86972e1..ef7d7b7 100644 (file)
@@ -1821,8 +1821,8 @@ class BackendUtility {
         *
         * @param string $table Table name, present in $GLOBALS['TCA']
         * @param string $col Field name
-        * @param string $printAllWrap Wrap value - set function description
-        * @return string
+        * @param string $printAllWrap Wrap value - set function description - this parameter is deprecated since TYPO3 6.2 and is removed two versions later. This paramater is a conceptual failure, as the content can then never be HSCed afterwards (which is how the method is used all the time), and then the code would be HSCed twice.
+        * @return string or NULL if $col is not found in the TCA table
         */
        static public function getItemLabel($table, $col, $printAllWrap = '') {
                // Check if column exists
@@ -1830,9 +1830,12 @@ class BackendUtility {
                        return $GLOBALS['TCA'][$table]['columns'][$col]['label'];
                }
                if ($printAllWrap) {
+                       \TYPO3\CMS\Core\Utility\GeneralUtility::deprecationLog('The third parameter of getItemLabel() is deprecated with TYPO3 CMS 6.2 and will be removed two versions later.');
                        $parts = explode('|', $printAllWrap);
                        return $parts[0] . $col . $parts[1];
                }
+
+               return NULL;
        }
 
        /**
index ec7a230..7020f4d 100644 (file)
@@ -836,6 +836,18 @@ class DatabaseRecordList extends \TYPO3\CMS\Recordlist\RecordList\AbstractDataba
                        default:
                                // Regular fields header:
                                $theData[$fCol] = '';
+
+                               // Check if $fCol is really a field and get the label and remove the colons at the end
+                               $sortLabel = \TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol);
+                               if ($sortLabel !== NULL) {
+                                       $sortLabel = $GLOBALS['LANG']->sL($sortLabel, TRUE);
+                                       $sortLabel = rtrim(trim($sortLabel), ':');
+                               } else {
+                                       // No TCA field, only output the $fCol variable with square brackets []
+                                       $sortLabel = htmlspecialchars($fCol);
+                                       $sortLabel = '<i>[' . rtrim(trim($sortLabel), ':') . ']</i>';
+                               }
+
                                if ($this->table && is_array($currentIdList)) {
                                        // If the numeric clipboard pads are selected, show duplicate sorting link:
                                        if ($this->clipNumPane()) {
@@ -848,11 +860,11 @@ class DatabaseRecordList extends \TYPO3\CMS\Recordlist\RecordList\AbstractDataba
                                                        $editIdList = '\'+editList(\'' . $table . '\',\'' . $editIdList . '\')+\'';
                                                }
                                                $params = '&edit[' . $table . '][' . $editIdList . ']=edit&columnsOnly=' . $fCol . '&disHelp=1';
-                                               $iTitle = sprintf($GLOBALS['LANG']->getLL('editThisColumn'), rtrim(trim($GLOBALS['LANG']->sL(\TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol))), ':'));
+                                               $iTitle = sprintf($GLOBALS['LANG']->getLL('editThisColumn'), $sortLabel);
                                                $theData[$fCol] .= '<a href="#" onclick="' . htmlspecialchars(\TYPO3\CMS\Backend\Utility\BackendUtility::editOnClick($params, $this->backPath, -1)) . '" title="' . htmlspecialchars($iTitle) . '">' . \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('actions-document-open') . '</a>';
                                        }
                                }
-                               $theData[$fCol] .= $this->addSortLink($GLOBALS['LANG']->sL(\TYPO3\CMS\Backend\Utility\BackendUtility::getItemLabel($table, $fCol, '<i>[|]</i>')), $fCol, $table);
+                               $theData[$fCol] .= $this->addSortLink($sortLabel, $fCol, $table);
                                break;
                        }
                }