[SECURITY] XSS in Link Validator 97/46697/2
authorSteffen Müller <typo3@t3node.com>
Tue, 16 Feb 2016 10:43:58 +0000 (11:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 16 Feb 2016 10:44:20 +0000 (11:44 +0100)
Properly escape error message when showing broken links
in EXT:linkvalidator

Resolves: #72240
Releases: master, 7.6, 6.2
Security-Commit: 889cbad1b45951dbee9dec6d5f0717d443d42182
Security-Bulletinsp: TYPO3-CORE-SA-2016-001, 002, 003, 004
Change-Id: I6eba759ca6b71f3f6ff87daf4f8449b6f4f8ddba
Reviewed-on: https://review.typo3.org/46697
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/linkvalidator/Classes/Linktype/InternalLinktype.php
typo3/sysext/linkvalidator/Classes/Report/LinkValidatorReport.php

index 0a69a41..3494dcf 100644 (file)
@@ -277,7 +277,7 @@ class InternalLinktype extends AbstractLinktype
             }
         }
         if (isset($errorPage) && isset($errorContent)) {
-            $response = $errorPage . '<br />' . $errorContent;
+            $response = $errorPage . LF . $errorContent;
         } elseif (isset($errorPage)) {
             $response = $errorPage;
         } elseif (isset($errorContent)) {
index e2fb5ab..449c770 100644 (file)
@@ -532,7 +532,17 @@ class LinkValidatorReport extends \TYPO3\CMS\Backend\Module\AbstractFunctionModu
         if ($response['valid']) {
             $linkMessage = '<span class="valid">' . htmlspecialchars($this->getLanguageService()->getLL('list.msg.ok')) . '</span>';
         } else {
-            $linkMessage = '<span class="error">' . $hookObj->getErrorMessage($response['errorParams']) . '</span>';
+            $linkMessage = '<span class="error">'
+                . nl2br(
+                    // Encode for output
+                    htmlspecialchars(
+                        $hookObj->getErrorMessage($response['errorParams']),
+                        ENT_QUOTES,
+                        'UTF-8',
+                        false
+                    )
+                )
+                . '</span>';
         }
         $markerArray['linkmessage'] = $linkMessage;