Skip to content
Permalink
Browse files Browse the repository at this point in the history
[BUGFIX] Prevent XSS on various formfield values
Also, use the standalone Fluid's htmlspecialchars VH instead of TYPO3's
htmlentities VH. They're essentially the same, but going with the former
increases the portability of our code.
  • Loading branch information
innologi committed Jan 29, 2019
1 parent bc450f6 commit 986d3cb
Show file tree
Hide file tree
Showing 11 changed files with 25 additions and 19 deletions.
14 changes: 9 additions & 5 deletions Resources/Private/Partials/Address/Properties.html
Expand Up @@ -6,7 +6,7 @@
<td scope="row">
<f:translate key="property.appointment.address.name" />
</td>
<td><f:format.html>{address.name}</f:format.html></td>
<td><f:format.htmlspecialchars>{address.name}</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand All @@ -15,7 +15,7 @@
<td scope="row">
<f:translate key="property.appointment.address.socialSecurityNumber" />
</td>
<td><f:format.html>{address.socialSecurityNumber}</f:format.html></td>
<td><f:format.htmlspecialchars>{address.socialSecurityNumber}</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand All @@ -35,7 +35,9 @@
<td scope="row">
<f:translate key="property.appointment.address.birthday" />
</td>
<td><f:format.date format="d-m-Y">{address.birthday}</f:format.date></td>
<td><f:format.htmlspecialchars>
<f:format.date format="d-m-Y">{address.birthday}</f:format.date>
</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand All @@ -45,7 +47,9 @@
<f:translate key="property.appointment.address.address" />
</td>
<td>
<f:format.html>{address.address}<br />{address.zip} {address.city}</f:format.html>
<f:format.htmlspecialchars>{address.address}</f:format.htmlspecialchars>
<br />
<f:format.htmlspecialchars>{address.zip} {address.city}</f:format.htmlspecialchars>
</td>
</tr>
</f:if>
Expand All @@ -55,7 +59,7 @@
<td scope="row">
<f:translate key="property.appointment.address.email" />
</td>
<td><f:format.html>{address.email}</f:format.html></td>
<td><f:format.htmlspecialchars>{address.email}</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand Down
2 changes: 1 addition & 1 deletion Resources/Private/Partials/Agenda/Week.html
Expand Up @@ -21,7 +21,7 @@
<li>
<f:link.action title="{f:translate(key:'link.title.appointment_show')}" controller="Appointment" action="show" arguments="{appointment : appointment}" addQueryString="TRUE" argumentsToBeExcludedFromQueryString="{0:'tx_appointments_list[dateFirst]'}" class="link_appointment">
<f:format.date format="H:i">{appointment.beginTime}</f:format.date>
<f:format.htmlentities>{appointment.type.name}</f:format.htmlentities>
<f:format.htmlspecialchars>{appointment.type.name}</f:format.htmlspecialchars>
</f:link.action>
</li>
</f:for>
Expand Down
10 changes: 6 additions & 4 deletions Resources/Private/Partials/Appointment/Properties.html
Expand Up @@ -8,7 +8,7 @@
<td scope="row">
<f:translate key="property.appointment.type" />
</td>
<td><f:format.htmlentities>{appointment.type.name}</f:format.htmlentities></td>
<td><f:format.htmlspecialchars>{appointment.type.name}</f:format.htmlspecialchars></td>
</tr>
<tr>
<td scope="row">
Expand All @@ -34,7 +34,9 @@
<td scope="row">
<f:translate key="property.appointment.feUser" />
</td>
<td>{f:if(condition:appointment.feUser.name, then:appointment.feUser.name, else:appointment.feUser.username)}</td>
<td><f:format.htmlspecialchars>
{f:if(condition:appointment.feUser.name, then:appointment.feUser.name, else:appointment.feUser.username)}
</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand Down Expand Up @@ -84,7 +86,7 @@
<td scope="row">
<f:translate key="property.appointment.notes" />
</td>
<td><f:format.html>{appointment.notes}</f:format.html></td>
<td><f:format.htmlspecialchars>{appointment.notes}</f:format.htmlspecialchars></td>
</tr>
</f:if>

Expand All @@ -93,7 +95,7 @@
<td scope="row">
<f:translate key="property.appointment.notesSu" />
</td>
<td><f:format.html>{appointment.notesSu}</f:format.html></td>
<td><f:format.htmlspecialchars>{appointment.notesSu}</f:format.htmlspecialchars></td>
</tr>
</f:if>
</table>
Expand Down
4 changes: 2 additions & 2 deletions Resources/Private/Partials/Appointment/Unfinished.html
Expand Up @@ -16,13 +16,13 @@ <h4 class="alert-title">
<f:then>
<f:link.action title="{f:translate(key:'link.title.appointment_resume')}" action="new1" arguments="{appointment : appointment}" addQueryString="TRUE" class="link_appointment">
<span class="time-unreserved"><f:format.date format="d-m-Y, H:i">{appointment.beginTime}</f:format.date></span>:
<f:format.htmlentities>{appointment.type.name}</f:format.htmlentities>
<f:format.htmlspecialchars>{appointment.type.name}</f:format.htmlspecialchars>
</f:link.action>(<f:translate key="tx_appointments_list.free_state" />)
</f:then>
<f:else>
<f:link.action title="{f:translate(key:'link.title.appointment_resume')}" action="new2" arguments="{appointment : appointment}" addQueryString="TRUE" class="link_appointment">
<f:format.date format="d-m-Y, H:i">{appointment.beginTime}</f:format.date>:
<f:format.htmlentities>{appointment.type.name}</f:format.htmlentities>
<f:format.htmlspecialchars>{appointment.type.name}</f:format.htmlspecialchars>
</f:link.action>(<a:appointment.timer appointment="{appointment}" timerMinutes="{settings.freeSlotInMinutes}" format="minutes"/> <f:translate key="tx_appointments_list.minutes_remaining"/>)
</f:else>
</f:if>
Expand Down
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/FormField5.html
Expand Up @@ -12,7 +12,7 @@
value="{choiceKey}"
checked="{0:formFieldValue.value} == {0:choiceKey}"
class="formfield-id-{formField.uid} radio session"
/> <f:format.htmlentities>{choiceValue}</f:format.htmlentities>
/> <f:format.htmlspecialchars>{choiceValue}</f:format.htmlspecialchars>
</f:for>

</html>
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/Properties.html
Expand Up @@ -3,7 +3,7 @@

<f:if condition="{formField}">
<tr>
<td scope="row"><f:format.html>{formField.label}</f:format.html></td>
<td scope="row"><f:format.htmlspecialchars>{formField.label}</f:format.htmlspecialchars></td>
<td>
<f:render partial="FormField/Property{formField.fieldType}" arguments="{formField:formField, formFieldValue:formFieldValue}" />
</td>
Expand Down
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/Property2.html
@@ -1,6 +1,6 @@
<html data-namespace-typo3-fluid="true"
xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers">

<f:format.html>{formField.choicesArray.{formFieldValue.value}}</f:format.html>
<f:format.htmlspecialchars>{formField.choicesArray.{formFieldValue.value}}</f:format.htmlspecialchars>

</html>
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/Property3.html
@@ -1,6 +1,6 @@
<html data-namespace-typo3-fluid="true"
xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers">

<f:format.html>{formFieldValue.value}</f:format.html>
<f:format.htmlspecialchars>{formFieldValue.value}</f:format.htmlspecialchars>

</html>
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/Property4.html
@@ -1,6 +1,6 @@
<html data-namespace-typo3-fluid="true"
xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers">

<f:format.html>{formFieldValue.value}</f:format.html>
<f:format.htmlspecialchars>{formFieldValue.value}</f:format.htmlspecialchars>

</html>
2 changes: 1 addition & 1 deletion Resources/Private/Partials/FormField/Property5.html
@@ -1,6 +1,6 @@
<html data-namespace-typo3-fluid="true"
xmlns:f="http://typo3.org/ns/TYPO3/CMS/Fluid/ViewHelpers">

<f:format.html>{formField.choicesArray.{formFieldValue.value}}</f:format.html>
<f:format.htmlspecialchars>{formField.choicesArray.{formFieldValue.value}}</f:format.htmlspecialchars>

</html>
2 changes: 1 addition & 1 deletion Resources/Private/Templates/Appointment/List.html
Expand Up @@ -27,7 +27,7 @@
<td>
<f:link.action title="{f:translate(key:'link.title.appointment_show')}" action="show" arguments="{appointment : appointment}" addQueryString="TRUE" class="link_appointment">
<f:format.date format="d-m-Y, H:i">{appointment.beginTime}</f:format.date>:
<f:format.htmlentities>{appointment.type.name}</f:format.htmlentities>
<f:format.htmlspecialchars>{appointment.type.name}</f:format.htmlspecialchars>
</f:link.action>
</td>
<f:if condition="{a:appointment.isMutable(appointment:appointment, time:now)}">
Expand Down

0 comments on commit 986d3cb

Please sign in to comment.