[SECURITY] Fix cross-Site Scripting vulnerability
authorChristian Futterlieb <christian@futterlieb.ch>
Mon, 29 Jun 2015 13:39:43 +0000 (15:39 +0200)
committerChristian Futterlieb <christian@futterlieb.ch>
Mon, 29 Jun 2015 13:39:43 +0000 (15:39 +0200)
See
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2015-015/

Classes/Controller/PagenotfoundController.php

index 8d8a4fb..db73fa4 100644 (file)
@@ -267,9 +267,9 @@ class Tx_Pagenotfoundhandling_Controller_PagenotfoundController
         $html = str_replace('###TITLE###', $language->getLL('page_title', 1), $html);
         $html = str_replace('###MESSAGE###', $language->getLL('page_message', 1), $html);
         $html = str_replace('###REASON_TITLE###', $language->getLL('reason_title', 1), $html);
-        $html = str_replace('###REASON###', $this->_params['reasonText'], $html);
+        $html = str_replace('###REASON###', htmlspecialchars($this->_params['reasonText']), $html);
         $html = str_replace('###CURRENT_URL_TITLE###', $language->getLL('current_url_title', 1), $html);
-        $html = str_replace('###CURRENT_URL###', $this->_params['currentUrl'], $html);
+        $html = str_replace('###CURRENT_URL###', htmlspecialchars($this->_params['currentUrl']), $html);
         return $html;
     }