Skip to content

Commit

Permalink
[BUGFIX] Sanitize calling htmlspecialchars(...) in FormViewHelper
Browse files Browse the repository at this point in the history 
htmlspecialchars(...) expects that first argument is a string,
otherwise triggering E_DEPRECATED.

This patch adds a string cast to ensure value is passed as string
to htmlspecialchars(...) in FormViewHelper.

Resolves: #95829
Releases: master
Change-Id: I96ebe29d6fd118d4306e43693554fc76d2187b87
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72011
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
  • Loading branch information
@sbuerk @maddy2101
sbuerk authored and maddy2101 committed Nov 3, 2021
1 parent 22eef50 commit 22fe7f9
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions typo3/sysext/fluid/Classes/ViewHelpers/FormViewHelper.php
View file
Expand Up @@ -276,9 +276,9 @@ protected function renderHiddenReferrerFields()
];

$result = LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@extension]')) . '" value="' . htmlspecialchars($extensionName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@controller]')) . '" value="' . htmlspecialchars($controllerName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@action]')) . '" value="' . htmlspecialchars($actionName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@extension]')) . '" value="' . htmlspecialchars((string)$extensionName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@controller]')) . '" value="' . htmlspecialchars((string)$controllerName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@action]')) . '" value="' . htmlspecialchars((string)$actionName) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[arguments]')) . '" value="' . htmlspecialchars($this->hashService->appendHmac(base64_encode(serialize($request->getArguments())))) . '" />' . LF;
$result .= '<input type="hidden" name="' . htmlspecialchars($this->prefixFieldName('__referrer[@request]')) . '" value="' . htmlspecialchars($this->hashService->appendHmac(json_encode($actionRequest))) . '" />' . LF;

Expand Down

0 comments on commit 22fe7f9

Please sign in to comment.