[SECURITY] XSS in TCA type inline 08/47608/2
authorFrank Naegler <frank.naegler@typo3.org>
Tue, 12 Apr 2016 09:11:08 +0000 (11:11 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:11:10 +0000 (11:11 +0200)
This patch fix a XSS vulnerability in TCA type inline.

Resolves: #73460
Releases: master, 7.6
Security-Commit: 8f178b4a68cbb50a55e0864b3f3c9989aa415ab3
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I7a39d3d6717b3edb02f6a7ee82675279d7ebf940
Reviewed-on: https://review.typo3.org/47608
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Form/FormDataProvider/TcaRecordTitle.php
typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/TcaRecordTitleTest.php

index e5c1a0f..f53df8f 100644 (file)
@@ -127,7 +127,7 @@ class TcaRecordTitle implements FormDataProviderInterface
             }
         }
 
-        $result['recordTitle'] = implode(', ', $titles);
+        $result['recordTitle'] = htmlspecialchars(implode(', ', $titles));
         return $result;
     }
 
index de1db6f..92ccd9f 100644 (file)
@@ -271,6 +271,13 @@ class TcaRecordTitleTest extends UnitTestCase
                 'aValue',
                 'aValue',
             ],
+            'html is escaped' => [
+                [
+                    'type' => 'input',
+                ],
+                '<foo>',
+                '&lt;foo&gt;',
+            ],
             'date input' => [
                 [
                     'type' => 'input',