From ccbbfc317935408475246aa51d8babc6d5ebb8ec Mon Sep 17 00:00:00 2001
From: Steffen Gebert <steffen.gebert@typo3.org>
Date: Wed, 15 Aug 2012 12:17:18 +0200
Subject: [PATCH] [SECURITY] XSS in Indexed Search statistics

Indexed Search statistics module is vulnerable to
persistent XSS attack injected by arbitrary frontend users.

Change-Id: I9298b5d1808cef9d123d4b9c3867f1f55dfe4efe
Fixes: #31927
Releases: 6.0, 4.7, 4.6, 4.5
Security-Commit: f16df3528cb66183fd7371cf6a64f7f7da98dd74
Security-Bulletin: TYPO3-CORE-SA-2012-004
Reviewed-on: http://review.typo3.org/13736
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
---
 .../indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php b/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
index b6848415a32a..85fd3efd3e7b 100644
--- a/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
+++ b/typo3/sysext/indexed_search/modfunc2/class.tx_indexedsearch_modfunc2.php
@@ -164,7 +164,7 @@ class tx_indexedsearch_modfunc2 extends t3lib_extobjbase {
 		if ($res)	{
 			while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res))	{
 				$i++;
-				$table1.='<tr class="bgColor4"><td>'.$i.'.</td><td>'.$row['word'].'</td><td>&nbsp;&nbsp;'.$row['c'].'</td></tr>';
+				$table1 .= '<tr class="bgColor4"><td>' . $i . '.</td><td>' . htmlspecialchars($row['word']) . '</td><td>&nbsp;&nbsp;' . $row['c'] . '</td></tr>';
 			}
 		}
 
-- 
2.20.1