Fixed bug #14978: XSS in file tree (thanks to Georg Ringer)
authorOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:51:16 +0000 (08:51 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 28 Jul 2010 08:51:16 +0000 (08:51 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8315 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/class.browse_links.php
typo3/sysext/rtehtmlarea/mod3/class.tx_rtehtmlarea_browse_links.php
typo3/sysext/rtehtmlarea/mod4/class.tx_rtehtmlarea_select_image.php

index 69ddaa7..eeda559 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2010-07-28  Oliver Hader  <oliver@typo3.org>
+
+       * Fixed bug #14978: XSS in file tree (thanks to Georg Ringer)
+
 2010-07-21  Ingo Renner  <ingo@typo3.org>
 
        * Fixed bug #15179: Tree depth retrieval inconsistently limited to 20 levels int3lib_pageSelect
index 8502424..111d4e5 100755 (executable)
@@ -435,6 +435,8 @@ class TBE_PageTree extends localPageTree {
         * @return      string          Wrapping title string.
         */
        function wrapTitle($title,$v,$ext_pArrPages)    {
+               $title = htmlspecialchars($title);
+
                if ($ext_pArrPages)     {
                        $ficon=t3lib_iconWorks::getIcon('pages',$v);
                        $onClick = "return insertElement('pages', '".$v['uid']."', 'db', ".t3lib_div::quoteJSvalue($v['title']).", '', '', '".$ficon."','',1);";
@@ -482,6 +484,8 @@ class localFolderTree extends t3lib_folderTree {
         * @return      string          Wrapping title string.
         */
        function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+
                if ($this->ext_isLinkable($v))  {
                        $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                        return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
@@ -634,6 +638,8 @@ class TBE_FolderTree extends localFolderTree {
         * @return      string          Wrapping title string.
         */
        function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+
                if ($this->ext_isLinkable($v))  {
                        $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                        return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
index f3b4d68..5ae1c75 100644 (file)
@@ -120,6 +120,8 @@ class tx_rtehtmlarea_folderTree extends rteFolderTree {
         * @return      string          Wrapping title string.
         */
        function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+               
                if ($this->ext_isLinkable($v))  {
                        $aOnClick = 'return jumpToUrl(\''.$this->thisScript.'?act='.$GLOBALS['SOBE']->browser->act.'&editorNo='.$GLOBALS['SOBE']->browser->editorNo.'&contentTypo3Language='.$GLOBALS['SOBE']->browser->contentTypo3Language.'&contentTypo3Charset='.$GLOBALS['SOBE']->browser->contentTypo3Charset.'&mode='.$GLOBALS['SOBE']->browser->mode.'&expandFolder='.rawurlencode($v['path']).'\');';
                        return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';
index eb98412..091eb20 100644 (file)
@@ -56,6 +56,8 @@ class tx_rtehtmlarea_image_folderTree extends t3lib_folderTree {
         * @return      string          Wrapping title string.
         */
        function wrapTitle($title,$v)   {
+               $title = htmlspecialchars($title);
+               
                if ($this->ext_isLinkable($v))  {
                        $aOnClick = 'return jumpToUrl(\'?editorNo='.$GLOBALS['SOBE']->browser->editorNo.'&expandFolder='.rawurlencode($v['path']).'\');';
                        return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.$title.'</a>';