Commit a976a18a authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Encode error messages in Query Generatory & Query View

Properly encodes error messages to be used in HTML output in
"EXT:lowlevel" Query Generator and Query View components.

Resolves: #93868
Releases: master, 11.3, 10.4, 9.5
Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577
Security-Bulletin: CORE-SA-2021-010
Security-References: CVE-2021-32668
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69992


Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 39c5a432
......@@ -469,7 +469,7 @@ class QueryView
$output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
}
$out = '<p><strong>Error: <span class="text-danger">'
. $e->getMessage()
. htmlspecialchars($e->getMessage())
. '</span></strong></p>';
$output .= '<h2>SQL error</h2><div>' . $out . '</div>';
}
......
......@@ -389,7 +389,7 @@ class QueryGenerator
$output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
}
$out = '<p><strong>Error: <span class="text-danger">'
. $e->getMessage()
. htmlspecialchars($e->getMessage())
. '</span></strong></p>';
$output .= '<h2>SQL error</h2><div>' . $out . '</div>';
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment