[SECURITY] XSS in Scheduler Example Task
authorMario Rimann <mario.rimann@typo3.org>
Wed, 15 Aug 2012 10:21:35 +0000 (12:21 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 15 Aug 2012 10:21:43 +0000 (12:21 +0200)
The scheduler test-task that sends an email does not properly
sanitize the input of the email field when rendering the editing
form of that task.

Change-Id: Ic77e50b339488acb5b811e35aaa558e26ac6193e
Fixes: #30967
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: d72a6e273edb2e249c1f544f0d6b7139aecdc825
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13770
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/scheduler/examples/class.tx_scheduler_testtask_additionalfieldprovider.php

index 4ced5f6..e297bb7 100644 (file)
@@ -65,7 +65,7 @@ class tx_scheduler_TestTask_AdditionalFieldProvider implements tx_scheduler_Addi
 
                        // Write the code for the field
                $fieldID = 'task_email';
-               $fieldCode = '<input type="text" name="tx_scheduler[email]" id="' . $fieldID . '" value="' . $taskInfo['email'] . '" size="30" />';
+               $fieldCode = '<input type="text" name="tx_scheduler[email]" id="' . $fieldID . '" value="' . htmlspecialchars($taskInfo['email']) . '" size="30" />';
                $additionalFields = array();
                $additionalFields[$fieldID] = array(
                        'code'     => $fieldCode,