[SECURITY] Prevent XSS in SelectMultipleSideBySideElement 01/47601/2
authorNicole Cordes <typo3@cordes.co>
Tue, 12 Apr 2016 09:10:14 +0000 (11:10 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:10:17 +0000 (11:10 +0200)
commitea14aaac26f20172ea9d2f4a3c616f90a203d6dc
tree0d74b480011b3bf9e32b9d2f157a3d47b47995ec
parentd0daeb54924dd42efe0746af577f0061193feaf5
[SECURITY] Prevent XSS in SelectMultipleSideBySideElement

In Javascript context the title attribute of a selected option is passed
as unescapd HTML argument to the function. Creating a new option tag
without title validation results in a XSS possibility. This patch removes
hardcoded attribute setting and uses jQuery function which take care
of proper escaping.

Resolves: #75164
Releases: master, 7.6, 6.2
Security-Commit: 2efa350ff30cda81396877ae9b57e88fd1d87140
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I1d2d1c57af9f0b949cf080109ad783eae243691a
Reviewed-on: https://review.typo3.org/47601
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/backend/Resources/Public/JavaScript/FormEngine.js