Commit 7339543a authored by Markus Klein's avatar Markus Klein Committed by Oliver Hader
Browse files

[SECURITY] Escape shortened placeholder text in HTML output

Prevent XSS by escaping the shortened placeholder text for various
Backend form elements properly.

Resolves: #90817
Releases: master, 9.5
Change-Id: I58f61b2d3d902dd3cb07e97acf974156f100a8aa
Security-Bulletin: TYPO3-CORE-SA-2020-002
Security-References: CVE-2020-11064
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64471


Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 1b28fec3
......@@ -245,7 +245,7 @@ class InputColorPickerElement extends AbstractFormElement
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
......
......@@ -268,7 +268,7 @@ class InputDateTimeElement extends AbstractFormElement
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
......
......@@ -296,7 +296,7 @@ class InputLinkElement extends AbstractFormElement
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
......
......@@ -327,7 +327,7 @@ class InputTextElement extends AbstractFormElement
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment