From: Stephan Großberndt <stephan@grossberndt.de>
Date: Sat, 16 Dec 2017 13:10:40 +0000 (+0100)
Subject: [BUGFIX] Add missing htmlspecialchars() and cleanup in EXT:recordlist
X-Git-Tag: v9.1.0~151
X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/ca91b4cff3cddf6da5d107f4a30efe2ab8d11b5c

[BUGFIX] Add missing htmlspecialchars() and cleanup in EXT:recordlist

Add missing htmlspecialchars() calls in EXT:recordlist and do cleanup.

Resolves: #83358
Releases: master, 8.7
Change-Id: If441da15bd0b37ca94121b3787457dddde9380bf
Reviewed-on: https://review.typo3.org/55117
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
---

diff --git a/typo3/sysext/recordlist/Classes/Controller/AbstractLinkBrowserController.php b/typo3/sysext/recordlist/Classes/Controller/AbstractLinkBrowserController.php
index 08246c09409c..7cf137e0648d 100644
--- a/typo3/sysext/recordlist/Classes/Controller/AbstractLinkBrowserController.php
+++ b/typo3/sysext/recordlist/Classes/Controller/AbstractLinkBrowserController.php
@@ -171,14 +171,11 @@ abstract class AbstractLinkBrowserController
 
         $options = '';
         foreach ($menuData as $id => $def) {
-            $class = $def['isActive'] ? 'active' : '';
-            $label = $def['label'];
-            $url = htmlspecialchars($def['url']);
-            $params = $def['addParams'];
-
-            $options .= '<li class="' . $class . '">' .
-                '<a href="' . $url . '" ' . $params . '>' . $label . '</a>' .
-                '</li>';
+            $class = $def['isActive'] ? ' class="active"' : '';
+
+            $options .= '<li' . $class . '>'
+                . '<a href="' . htmlspecialchars($def['url']) . '" ' . $def['addParams'] . '>' . htmlspecialchars($def['label']) . '</a>'
+                . '</li>';
         }
 
         $content .= '<div class="element-browser-panel element-browser-tabs"><ul class="nav nav-tabs" role="tablist">' .
@@ -381,7 +378,7 @@ abstract class AbstractLinkBrowserController
                 $addParams = $configuration['addParams'];
             } else {
                 $parameters = GeneralUtility::implodeArrayForUrl('', $this->getUrlParameters(['act' => $identifier]));
-                $addParams = 'onclick="jumpToUrl(' . GeneralUtility::quoteJSvalue('?' . ltrim($parameters, '&')) . ');return false;"';
+                $addParams = 'onclick="jumpToUrl(' . htmlspecialchars(GeneralUtility::quoteJSvalue('?' . ltrim($parameters, '&'))) . ');return false;"';
             }
             $menuDef[$identifier] = [
                 'isActive' => $isActive,
diff --git a/typo3/sysext/recordlist/Classes/LinkHandler/PageLinkHandler.php b/typo3/sysext/recordlist/Classes/LinkHandler/PageLinkHandler.php
index 15f6a6e0e117..874973110686 100644
--- a/typo3/sysext/recordlist/Classes/LinkHandler/PageLinkHandler.php
+++ b/typo3/sysext/recordlist/Classes/LinkHandler/PageLinkHandler.php
@@ -110,7 +110,7 @@ class PageLinkHandler extends AbstractLinkHandler implements LinkHandlerInterfac
         $lang = $this->getLanguageService();
         $titleLen = (int)$this->getBackendUser()->uc['titleLen'];
 
-        $id = $this->linkParts['url']['pageuid'];
+        $id = (int)$this->linkParts['url']['pageuid'];
         $pageRow = BackendUtility::getRecordWSOL('pages', $id);
 
         return htmlspecialchars($lang->getLL('page'))
diff --git a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
index ae03dfd2c240..9609ca81ecb3 100644
--- a/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
+++ b/typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php
@@ -1827,8 +1827,8 @@ class DatabaseRecordList
         }
         $pageNumberInput = '
 			<input type="number" min="1" max="' . $totalPages . '" value="' . $currentPage . '" size="3" class="form-control input-sm paginator-input" id="jumpPage-' . $renderPart . '" name="jumpPage-'
-            . $renderPart . '" onkeyup="if (event.keyCode == 13) { document.dblistForm.action=' . GeneralUtility::quoteJSvalue($listURL
-            . '&pointer=') . '+calculatePointer(this.value); document.dblistForm.submit(); } return true;" />
+            . $renderPart . '" onkeyup="if (event.keyCode == 13) { document.dblistForm.action=' . htmlspecialchars(GeneralUtility::quoteJSvalue($listURL . '&pointer='))
+            . '+calculatePointer(this.value); document.dblistForm.submit(); } return true;" />
 			';
         $pageIndicatorText = sprintf(
             $this->getLanguageService()->sL('LLL:EXT:lang/Resources/Private/Language/locallang_mod_web_list.xlf:pageIndicator'),
@@ -3548,7 +3548,7 @@ class DatabaseRecordList
             case 'info':
                 // "Info": (All records)
                 $code = '<a href="#" onclick="' . htmlspecialchars(
-                        ('top.launchView(\'' . $table . '\', \'' . $row['uid'] . '\'); return false;')
+                        ('top.launchView(' . GeneralUtility::quoteJSvalue($table) . ', ' . (int)$row['uid'] . '); return false;')
                     ) . '" title="' . htmlspecialchars($lang->getLL('showInfo')) . '">' . $code . '</a>';
                 break;
             default:
@@ -3556,7 +3556,7 @@ class DatabaseRecordList
                 if ($table === 'pages') {
                     $code = '<a href="' . htmlspecialchars(
                             $this->listURL($uid, '', 'firstElementNumber')
-                        ) . '" onclick="setHighlight(' . $uid . ')">' . $code . '</a>';
+                        ) . '" onclick="setHighlight(' . (int)$uid . ')">' . $code . '</a>';
                 } else {
                     $code = $this->linkUrlMail($code, $origCode);
                 }
diff --git a/typo3/sysext/recordlist/Classes/Tree/View/ElementBrowserPageTreeView.php b/typo3/sysext/recordlist/Classes/Tree/View/ElementBrowserPageTreeView.php
index 7f6ad5a26c5e..5f558ef666ce 100644
--- a/typo3/sysext/recordlist/Classes/Tree/View/ElementBrowserPageTreeView.php
+++ b/typo3/sysext/recordlist/Classes/Tree/View/ElementBrowserPageTreeView.php
@@ -38,10 +38,10 @@ class ElementBrowserPageTreeView extends \TYPO3\CMS\Backend\Tree\View\ElementBro
     /**
      * Wrapping the title in a link, if applicable.
      *
-     * @param string $title Title, ready for output.
+     * @param string $title Title, ready for output (already html-escaped)
      * @param array $v The record
      * @param bool $ext_pArrPages If set, pages clicked will return immediately, otherwise reload page.
-     * @return string Wrapping title string.
+     * @return string Wrapped title string
      */
     public function wrapTitle($title, $v, $ext_pArrPages = false)
     {