[SECURITY] XSS in PreviewRenderer with descriptions

The PreviewRenderer pattern introduced with #78450 makes use of the TCA feature `descriptionColumn` to render the content of this column in a content element's preview in the page module. The content of the column however was not properly escaped allowing a persistent XSS abuse. This patch adds a `htmlspecialchars()` to the output to escape the content properly Resolves: #93562 Related: #78450 Releases: master, 11.1, 10.4 Change-Id: I144c6c2d7f4f61f4479fac3c2d400a21f5d72405 Security-Bulletin: TYPO3-CORE-SA-2021-007 Security-References: CVE-2021-21340 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68432 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Mar 16, 2021 · 2adc071 · 2adc071
1 parent 71914e5
commit 2adc071
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php b/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php
@@ -233,7 +233,7 @@ public function renderPageModulePreviewFooter(GridColumnItem $item): string
         $this->getProcessedValue($item, 'starttime,endtime,fe_group,space_before_class,space_after_class', $info);
 
         if (!empty($GLOBALS['TCA']['tt_content']['ctrl']['descriptionColumn']) && !empty($record[$GLOBALS['TCA']['tt_content']['ctrl']['descriptionColumn']])) {
-            $info[] = $record[$GLOBALS['TCA']['tt_content']['ctrl']['descriptionColumn']];
+            $info[] = htmlspecialchars($record[$GLOBALS['TCA']['tt_content']['ctrl']['descriptionColumn']]);
         }
 
         // Call drawFooter hooks