Skip to content

Commit

Permalink
[SECURITY] Mitigate XSS in PreviewRenderer for menus
Browse files Browse the repository at this point in the history 
The content element preview for menus displays the
menu type label along with the record title of the
defined pages and categories. Since the output was
not properly encoded, this led to a XSS vulnerability
in the page module.

The issue is addressed by properly encoding user input.

Note: Because of a bug in `PreviewRenderer`, the
vulnerable code was most likely not executed in any
TYPO3 installation after v8.6.0.

Resolves: #93664
Releases: master, 11.1, 10.4, 9.5
Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f
Security-Bulletin: TYPO3-CORE-SA-2021-008
Security-References: CVE-2021-21370
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68433
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@o-ba @ohader
o-ba authored and ohader committed Mar 16, 2021
1 parent 2adc071 commit 33ddc49
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php
View file
Expand Up @@ -135,7 +135,7 @@ public function renderPageModulePreviewContent(GridColumnItem $item): string
BackendUtility::getLabelFromItemListMerged($record['pid'], 'tt_content', 'menu_type', $record['menu_type'])
);
$menuTypeLabel = $menuTypeLabel ?: 'invalid menu type';
$out .= $this->linkEditContent($menuTypeLabel, $record);
$out .= $this->linkEditContent(htmlspecialchars($menuTypeLabel), $record);
if ($record['menu_type'] !== '2' && ($record['pages'] || $record['selected_categories'])) {
// Show pages if menu type is not "Sitemap"
$out .= ':' . $this->linkEditContent($this->generateListForCTypeMenu($record), $record) . '<br />';
Expand Down Expand Up @@ -379,7 +379,7 @@ protected function generateListForCTypeMenu(array $record): string
foreach ($uidList as $uid) {
$uid = (int)$uid;
$pageRecord = BackendUtility::getRecord($table, $uid, 'title');
$content .= '<br>' . $pageRecord['title'] . ' (' . $uid . ')';
$content .= '<br>' . htmlspecialchars($pageRecord['title']) . ' (' . $uid . ')';
}
return $content;
}
Expand Down

0 comments on commit 33ddc49

Please sign in to comment.