From 6f2554dc4ea0b670fd5599c54fd788d4db96c4a0 Mon Sep 17 00:00:00 2001
From: Gabe Troyan <gabe+typo3org@ecopixel.com>
Date: Tue, 14 Jun 2022 09:17:30 +0200
Subject: [PATCH] [SECURITY] Ensure text preview of multivalue items in form
 editor

Multivalue items in the form editor user interface were previewed
as HTML, but should be treated as scalar text only.

Resolves: #96743
Releases: main, 11.5, 10.4
Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad
Security-Bulletin: TYPO3-CORE-SA-2022-003
Security-References: CVE-2022-31048
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73297
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../backend/form-editor/stage-component.js           | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/typo3/sysext/form/Resources/Public/JavaScript/backend/form-editor/stage-component.js b/typo3/sysext/form/Resources/Public/JavaScript/backend/form-editor/stage-component.js
index 4cac39607c94..a78147841290 100644
--- a/typo3/sysext/form/Resources/Public/JavaScript/backend/form-editor/stage-component.js
+++ b/typo3/sysext/form/Resources/Public/JavaScript/backend/form-editor/stage-component.js
@@ -513,10 +513,10 @@ function factory($, Helper, Icons) {
      */
     function setStageHeadline(title) {
       if (getUtility().isUndefinedOrNull(title)) {
-        title = buildTitleByFormElement();
+        title = buildTitleByFormElement().text();
       }
 
-      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).html(title);
+      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).text(title);
     };
 
     /**
@@ -981,10 +981,10 @@ function factory($, Helper, Icons) {
 
       getHelper()
         .getTemplatePropertyDomElement('_type', template)
-        .append(getFormElementDefinition(formElement, 'label'));
+        .append(document.createTextNode(getFormElementDefinition(formElement, 'label')));
       getHelper()
         .getTemplatePropertyDomElement('_identifier', template)
-        .append(formElement.get('identifier'));
+        .append(document.createTextNode(formElement.get('identifier')));
     };
 
     /**
@@ -1029,7 +1029,7 @@ function factory($, Helper, Icons) {
 
             getHelper()
               .getTemplatePropertyDomElement('_label', rowTemplate)
-              .append(collectionElementConfiguration['label']);
+              .append(document.createTextNode(collectionElementConfiguration['label']));
             $(getHelper().getDomElementDataIdentifierSelector('validatorsContainer'), $(template))
               .append(rowTemplate.html());
           }
@@ -1089,7 +1089,7 @@ function factory($, Helper, Icons) {
           }
         }
 
-        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(label);
+        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(document.createTextNode(label));
 
         if (isPreselected) {
           getHelper().getTemplatePropertyDomElement('_label', rowTemplate).addClass(