From 843718ec5da017b0c4e24dced7d7038307a3cea8 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 20 Jul 2021 11:17:36 +0200
Subject: [PATCH] [SECURITY] Encode error messages in Query Generatory & Query
 View

Properly encodes error messages to be used in HTML output in
"EXT:lowlevel" Query Generator and Query View components.

Resolves: #93868
Releases: master, 11.3, 10.4, 9.5
Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577
Security-Bulletin: CORE-SA-2021-010
Security-References: CVE-2021-32668
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69988
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/core/Classes/Database/QueryView.php          | 2 +-
 typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/core/Classes/Database/QueryView.php b/typo3/sysext/core/Classes/Database/QueryView.php
index 151041a37046..820e50b6e26f 100644
--- a/typo3/sysext/core/Classes/Database/QueryView.php
+++ b/typo3/sysext/core/Classes/Database/QueryView.php
@@ -469,7 +469,7 @@ public function queryMaker()
                         $output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
                     }
                     $out = '<p><strong>Error: <span class="text-danger">'
-                        . $e->getMessage()
+                        . htmlspecialchars($e->getMessage())
                         . '</span></strong></p>';
                     $output .= '<h2>SQL error</h2><div>' . $out . '</div>';
                 }
diff --git a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
index c64b7fe7bedd..ef4cfc278a72 100644
--- a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
+++ b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
@@ -389,7 +389,7 @@ public function queryMaker()
                         $output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
                     }
                     $out = '<p><strong>Error: <span class="text-danger">'
-                        . $e->getMessage()
+                        . htmlspecialchars($e->getMessage())
                         . '</span></strong></p>';
                     $output .= '<h2>SQL error</h2><div>' . $out . '</div>';
                 }