[SECURITY] Stored XSS in shortcut functionality 28/46828/2
authorWouter Wolters <typo3@wouterwolters.nl>
Tue, 23 Feb 2016 10:44:29 +0000 (11:44 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 23 Feb 2016 10:45:04 +0000 (11:45 +0100)
Resolves: #73449
Releases: 6.2
Security-Commit: c4df50a433362c2a3976f40bcbc5be82d4cb3cb6
Security-Bulletins: TYPO3-CORE-SA-2016-005, 006, 007, 008
Change-Id: I7881425226a6a23b9acf6a1870b82c4dcf0fee93
Reviewed-on: https://review.typo3.org/46828
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Classes/Toolbar/ShortcutToolbarItem.php

index ec8defc..efeccc4 100644 (file)
@@ -300,7 +300,7 @@ class ShortcutToolbarItem implements \TYPO3\CMS\Backend\Toolbar\ToolbarItemHookI
                        $shortcut['group'] = $shortcutGroup;
                        $shortcut['icon'] = $this->getShortcutIcon($row, $shortcut);
                        $shortcut['iconTitle'] = $this->getShortcutIconTitle($shortcut['label'], $row['module_name'], $row['M_module_name']);
-                       $shortcut['action'] = 'jump(unescape(\'' . rawurlencode($this->getTokenUrl($row['url'])) . '\'),\'' . $moduleName . '\',\'' . $moduleParts[0] . '\', ' . (int)$pageId . ');';
+                       $shortcut['action'] = 'jump(' . GeneralUtility::quoteJSvalue($this->getTokenUrl($row['url'])) . ',' . GeneralUtility::quoteJSvalue($moduleName) . ',' . GeneralUtility::quoteJSvalue($moduleParts[0]) . ', ' . (int)$pageId . ');';
 
                        $shortcuts[] = $shortcut;
                }