Commit 02789b5b authored by Oliver Bartsch's avatar Oliver Bartsch Committed by Oliver Hader
Browse files

[SECURITY] Mitigate XSS related to column names

The column names, defined in backend layouts, were not
properly encoded at some places and therefore led to a
XSS vulnerability.

The issue is addressed by properly encoding user input.

Resolves: #93683
Releases: master, 11.3, 10.4, 9.5, 8.7
Change-Id: I787cee9f56a30aeaf69294412c8d5198a144e31c
Security-Bulletin: CORE-SA-2021-011
Security-References: CVE-2021-32669
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69993

Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent a976a18a
......@@ -15,6 +15,7 @@ import {SeverityEnum} from './Enum/Severity';
import 'bootstrap';
import $ from 'jquery';
import Modal = require('./Modal');
import SecurityUtility from 'TYPO3/CMS/Core/SecurityUtility';
/**
* GridEditorConfigurationInterface
......@@ -75,8 +76,8 @@ export class GridEditor {
* @returns {string}
*/
public static stripMarkup(input: string): string {
input = input.replace(/<(.*)>/gi, '');
return $('<p>' + input + '</p>').text();
const securityUtility = new SecurityUtility();
return securityUtility.stripHtml(input);
}
/**
......@@ -894,9 +895,10 @@ export class GridEditor {
const cell = this.getCell(col, row);
if (cell) {
if (!cell.spanned) {
const cellName: string = GridEditor.stripMarkup(cell.name) || '';
colIndex++;
result += '\t\t\t\t' + (colIndex) + ' {\n';
result += '\t\t\t\t\tname = ' + ((!cell.name) ? col + 'x' + row : cell.name) + '\n';
result += '\t\t\t\t\tname = ' + ((!cellName) ? col + 'x' + row : cellName) + '\n';
if (cell.colspan > 1) {
result += '\t\t\t\t\tcolspan = ' + cell.colspan + '\n';
}
......
......@@ -17,10 +17,10 @@ describe('TYPO3/CMS/Backend/GridEditorTest:', () => {
describe('tests for stripMarkup', () => {
it('works with string which contains html markup only', () => {
expect(GridEditor.stripMarkup('<b>foo</b>')).toBe('');
expect(GridEditor.stripMarkup('<b>\'formula\': "x > y"</b>')).toBe('\'formula\': "x > y"');
});
it('works with string which contains html markup and normal text', () => {
expect(GridEditor.stripMarkup('<b>foo</b> bar')).toBe(' bar');
expect(GridEditor.stripMarkup('<b>foo</b> bar')).toBe('foo bar');
});
});
......
......@@ -213,7 +213,7 @@ class GridColumn extends AbstractGridObject
public function getTitleUnassigned(): string
{
return $this->getLanguageService()->getLL('notAssigned');
return $this->getTitle() . ' (' . $this->getLanguageService()->getLL('notAssigned') . ')';
}
public function isUnassigned(): bool
......
......@@ -9,13 +9,10 @@
{column.title}
</f:then>
<f:else if="{column.unassigned}">
{column.title} (<f:format.raw>{column.titleUnassigned}</f:format.raw>)
</f:else>
<f:else if="!{hideRestrictedColumns}">
<f:format.raw>{column.titleInaccessible}</f:format.raw>
{column.titleUnassigned}
</f:else>
<f:else>
<f:format.raw>{column.titleInaccessible}</f:format.raw>
{column.titleInaccessible}
</f:else>
</f:if>
</div>
......
......@@ -10,4 +10,4 @@
*
* The TYPO3 project - inspiring people to share!
*/
define(["require","exports","TYPO3/CMS/Backend/GridEditor"],(function(r,t,e){"use strict";Object.defineProperty(t,"__esModule",{value:!0}),describe("TYPO3/CMS/Backend/GridEditorTest:",()=>{describe("tests for stripMarkup",()=>{it("works with string which contains html markup only",()=>{expect(e.GridEditor.stripMarkup("<b>foo</b>")).toBe("")}),it("works with string which contains html markup and normal text",()=>{expect(e.GridEditor.stripMarkup("<b>foo</b> bar")).toBe(" bar")})})})}));
\ No newline at end of file
define(["require","exports","TYPO3/CMS/Backend/GridEditor"],(function(r,t,e){"use strict";Object.defineProperty(t,"__esModule",{value:!0}),describe("TYPO3/CMS/Backend/GridEditorTest:",()=>{describe("tests for stripMarkup",()=>{it("works with string which contains html markup only",()=>{expect(e.GridEditor.stripMarkup("<b>'formula': \"x > y\"</b>")).toBe("'formula': \"x > y\"")}),it("works with string which contains html markup and normal text",()=>{expect(e.GridEditor.stripMarkup("<b>foo</b> bar")).toBe("foo bar")})})})}));
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment