[BUGFIX] Ensure string in htmlspecialchars()

When select fields with db relations allow pages records, the DatabaseBrowser tries to render an icon from the page row. uid of that row may be an int, which needs to be cast to string to be fed to htmlspecialchars(). Resolves: #101513 Related: #100819 Releases: main, 12.4, 11.5 Change-Id: I52ee031cb0eb09f41ae8ecb6d7005f03e65de3bd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80284 Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: core-ci <typo3@b13.com>
TYPO3 · Jul 31, 2023 · 54c6793 · 54c6793
1 parent 2447096
commit 54c6793
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/typo3/sysext/backend/Classes/ElementBrowser/DatabaseBrowser.php b/typo3/sysext/backend/Classes/ElementBrowser/DatabaseBrowser.php
@@ -157,7 +157,7 @@ protected function renderTableRecords($tables)
 
             $out .= '<p>' . $this->iconFactory->getIconForRecord('pages', $mainPageRecord, Icon::SIZE_SMALL)->render() . '&nbsp;';
             if (in_array('pages', $tablesArr, true)) {
-                $out .= '<span data-uid="' . htmlspecialchars($mainPageRecord['uid']) . '" data-table="pages" data-title="' . htmlspecialchars($mainPageRecord['title']) . '">';
+                $out .= '<span data-uid="' . htmlspecialchars((string)$mainPageRecord['uid']) . '" data-table="pages" data-title="' . htmlspecialchars($mainPageRecord['title']) . '">';
                 $out .= '<a href="#" data-close="0">'
                     . $this->iconFactory->getIcon('actions-plus', Icon::SIZE_SMALL)->render()
                     . '</a>'