Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] XSS in file list through file extension
FAL currently filters invalid characters from file names stored by its API. However, this sanitization took no effect when the file was placed by e.g. uploads via FTP, which doesn't trigger FAL. This patch adds a missing `htmlspecialchars` call when the file extension is rendered and could not be sanitized before due to mentioned circumstances. Resolves: #88931 Releases: master, 9.5, 8.7 Security-Commit: 6f1816c5d0d5bcc3f3c986b8a5f4ee1ee63beb34 Security-Bulletin: TYPO3-CORE-SA-2019-023 Change-Id: I2e4297110c81fcee17d0c5b08ac06910ab754989 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62705 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information