Skip to content

Commit

Permalink
[SECURITY] Escape shortened placeholder text in HTML output
Browse files Browse the repository at this point in the history 
Prevent XSS by escaping the shortened placeholder text for various
Backend form elements properly.

Resolves: #90817
Releases: master, 9.5
Change-Id: I58f61b2d3d902dd3cb07e97acf974156f100a8aa
Security-Bulletin: TYPO3-CORE-SA-2020-002
Security-References: CVE-2020-11064
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64471
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
@liayn @ohader
liayn authored and ohader committed May 12, 2020
1 parent 1b28fec commit 7339543
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 4 deletions.
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Form/Element/InputColorPickerElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,7 @@ public function render()
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Form/Element/InputDateTimeElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ public function render()
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ public function render()
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
Expand Down
2 changes: 1 addition & 1 deletion typo3/sysext/backend/Classes/Form/Element/InputTextElement.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,7 +327,7 @@ public function render()
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
$fullElement[] = '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
$fullElement[] = '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
$fullElement[] = '</div>';
$fullElement[] = '</div>';
$fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
Expand Down

0 comments on commit 7339543

Please sign in to comment.