[SECURITY] XSS in be_layouts
authorGeorg Ringer <mail@ringerge.org>
Wed, 28 Mar 2012 11:54:10 +0000 (13:54 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 28 Mar 2012 11:54:13 +0000 (13:54 +0200)
Some values from the backend layout configuration
are not properly escaped

Change-Id: Ifc5debc16e29d632f21380c1fb2e410e00633fa7
Fixes: #29536
Security-Commit: f686b42d55688dde6b6bc64f75032c56c09aed4c
Security-Bulletin: TYPO3-CORE-SA-2012-001
Reviewed-on: http://review.typo3.org/10004
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/layout/class.tx_cms_layout.php

index ea1da57..c050626 100755 (executable)
@@ -618,14 +618,17 @@ class tx_cms_layout extends recordList {
                                                        $columnKey = intval($columnConfig['colPos']);
 
                                                        // render the grid cell
+                                                       $colSpan = intval($columnConfig['colspan']);
+                                                       $rowSpan = intval($columnConfig['rowspan']);
+
                                                        $grid .= '<td valign="top"' .
-                                                                       (isset($columnConfig['colspan']) ? ' colspan="' . $columnConfig['colspan'] . '"' : '') .
-                                                                       (isset($columnConfig['rowspan']) ? ' rowspan="' . $columnConfig['rowspan'] . '"' : '') .
+                                                                       ($colSpan > 0 ? ' colspan="' . $colSpan . '"' : '') .
+                                                                       ($rowSpan > 0 ? ' rowspan="' . $rowSpan . '"' : '') .
                                                                        ' class="t3-gridCell t3-page-column t3-page-column-' . $columnKey .
                                                                        (!isset($columnConfig['colPos']) ? ' t3-gridCell-unassigned' : '') .
                                                                        ((isset($columnConfig['colPos']) && ! $head[$columnKey]) ? ' t3-gridCell-restricted' : '') .
-                                                                       (isset($columnConfig['colspan']) ? ' t3-gridCell-width' . $columnConfig['colspan'] : '') .
-                                                                       (isset($columnConfig['rowspan']) ? ' t3-gridCell-height' . $columnConfig['rowspan'] : '') . '">';
+                                                                       ($colSpan > 0 ? ' t3-gridCell-width' . $colSpan : '') .
+                                                                       ($rowSpan > 0 ? ' t3-gridCell-height' . $rowSpan : '') . '">';
 
                                                        // Draw the pre-generated header with edit and new buttons if a colPos is assigned.
                                                        // If not, a new header without any buttons will be generated.