[SECURITY] Prevent XSS in SelectMultipleSideBySideElement

In Javascript context the title attribute of a selected option is passed
as unescapd HTML argument to the function. Creating a new option tag
without title validation results in a XSS possibility. This patch removes
hardcoded attribute setting and uses jQuery function which take care
of proper escaping.

Resolves: #75164
Releases: master, 7.6, 6.2
Security-Commit: 2efa350ff30cda81396877ae9b57e88fd1d87140
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I1d2d1c57af9f0b949cf080109ad783eae243691a
Reviewed-on: https://review.typo3.org/47601
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js b/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js
index 3e994b9..15878a9 100644 (file)
--- a/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js
+++ b/typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js
@@ -161,7 +161,7 @@ define(['jquery',
                        // element can be added
                        if (addNewValue) {
                                // finally add the option
-                               var $option = $('<option value="' + value + '" title="' + title + '"></option>');
+                               var $option = $('<option></option>');
                                $option.attr({value: value, title: title}).text(label);
                                $option.appendTo($fieldEl);