[SECURITY] Use fullQuoteStr instead of htmlspecialchars

froemken · Oct 14, 2019 · 91cc8da · 91cc8da
1 parent b93afba
commit 91cc8da
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/Classes/Hooks/PreProcess.php b/Classes/Hooks/PreProcess.php
@@ -91,8 +91,10 @@ protected function findDirectRedirect($requestUri)
             'tx_urlredirect_domain_model_config',
             'hidden',
             '0',
-            ' AND ((use_reg_exp=0 AND request_uri=\'' . htmlspecialchars($requestUri) . '\') OR complete_domain=1) AND ' . implode(' AND ', $where),
-            '', 'complete_domain ASC'
+            sprintf(
+                ' AND ((use_reg_exp=0 AND request_uri=%s) OR complete_domain=1) AND ' . implode(' AND ', $where),
+                $GLOBALS['TYPO3_DB']->fullQuoteStr($requestUri, 'tx_urlredirect_domain_model_config')
+            ),'', 'complete_domain ASC'
         );
 
         if (empty($redirects)) {
@@ -147,8 +149,11 @@ protected function getSysDomainUid()
         $domain = DatabaseUtility::getRecordRaw(
             'sys_domain',
             sprintf(
-                'domainName=\'%s\' AND redirectTo=\'\' AND hidden=0',
-                htmlspecialchars(GeneralUtility::getIndpEnv('HTTP_HOST'))
+                'domainName=%s AND redirectTo=\'\' AND hidden=0',
+                $GLOBALS['TYPO3_DB']->fullQuoteStr(
+                    GeneralUtility::getIndpEnv('HTTP_HOST'),
+                    'tx_urlredirect_domain_model_config'
+                )
             ),
             'uid'
         );

diff --git a/ext_emconf.php b/ext_emconf.php
@@ -27,7 +27,7 @@
     'modify_tables' => '',
     'clearCacheOnLoad' => 0,
     'lockType' => '',
-    'version' => '1.2.1',
+    'version' => '1.2.2',
     'constraints' => array(
         'depends' => array(
             'typo3' => '7.6.0-8.7.99',