[SECURITY] Prevent XSS in SelectMultipleSideBySideElement 96/47596/2
authorNicole Cordes <typo3@cordes.co>
Tue, 12 Apr 2016 09:09:37 +0000 (11:09 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:09:39 +0000 (11:09 +0200)
In Javascript context the title attribute of a selected option is passed
as unescapd HTML argument to the function. Creating a new option tag
without title validation results in a XSS possibility. This patch removes
hardcoded attribute setting and uses jQuery function which take care
of proper escaping.

Resolves: #75164
Releases: master, 7.6, 6.2
Security-Commit: 1f0d09bfe5899fa189ee6bde102665956dc0f9b1
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I6445259a8608fa7a592b4574cb01c672ae1a4b93
Reviewed-on: https://review.typo3.org/47596
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js

index b579648..87c633c 100644 (file)
@@ -138,7 +138,7 @@ define('TYPO3/CMS/Backend/FormEngine', ['jquery'], function ($) {
                        // element can be added
                        if (addNewValue) {
                                // finally add the option
-                               var $option = $('<option value="' + value + '" title="' + title + '"></option>');
+                               var $option = $('<option></option>');
                                $option.attr({value: value, title: title}).text(label);
                                $option.appendTo($fieldEl);