Build/Sources/TypeScript/viewpage/Resources/Public/TypeScript/Main.ts · 39c5a432b94e0e9a7ee827f1b7485d3dff46fac0 · accessibility / TYPO3.CMS

[SECURITY] Mitigate XSS in viewpage · 39c5a432

Oliver Bartsch authored Jul 20, 2021 and

Oliver Hader committed Jul 20, 2021

The `viewpage` module contains a preset selection, where
users can select different browser viewports. Since the
corresponding preset labels, configurable via TSconfig,
had not been encoded properly, is was vulnerable to XSS.

The issue is addressed by properly encoding the labels.

Resolves: #93702
Releases: master, 11.3, 10.4, 9.5
Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac
Security-Bulletin: CORE-SA-2021-009
Security-References: CVE-2021-32667
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69991


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

39c5a432