-
XSS is possible when using a special filename. The file has to be created directly in the storage as uploading files with those names is not possible. Add a missing htmlspecialchars to prevent html injection. Resolves: #64618 Releases: master, 6.2 Change-Id: I192e736fe629a37e923cc02a740fa2aadea20ee1 Reviewed-on: http://review.typo3.org/36391 Reviewed-by: Ingo Schmitt <is@marketing-factory.de> Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de> Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de> Reviewed-by: Michael Oehlhof <typo3@oehlhof.de> Tested-by: Michael Oehlhof <typo3@oehlhof.de> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
4347ca04