[SECURITY] Missing escaping for sys_notes
authorGeorg Ringer <mail@ringerge.org>
Wed, 28 Mar 2012 11:56:38 +0000 (13:56 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:56:42 +0000 (13:56 +0200)
sys_notes misses an escaping in info module

Change-Id: If420168807f609709a767c7fb1d6a4d504d277f8
Fixes: #22748
Releases: 6.0, 4.7, 4.6, 4.5, 4.4
Security-Commit: 31c4fdb3c3c9fe9d1a28fd13ca69f8b97d15459e
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10035
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/layout/class.tx_cms_layout.php

index 1b370a1..da85814 100755 (executable)
@@ -912,7 +912,7 @@ class tx_cms_layout extends recordList {
 
                                                        $theData['__cmds__'] = $this->getIcon('sys_note', $row);
                                                        $theData['info'] = $head . $cont;
-                                                       $theData['note'] = nl2br($row['message']);
+                                                       $theData['note'] = nl2br(htmlspecialchars($row['message']));
 
                                                        $out .= $this->addelement(1, '', $theData, $tdparams, 20);