[SECURITY] Encode error messages in Query Generatory & Query View

Properly encodes error messages to be used in HTML output in "EXT:lowlevel" Query Generator and Query View components. Resolves: #93868 Releases: master, 11.3, 10.4, 9.5 Change-Id: I05812ac7c1cded39edbf10d50bb4dc0fd8faf577 Security-Bulletin: CORE-SA-2021-010 Security-References: CVE-2021-32668 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69988 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 20, 2021 · 843718e · 843718e
1 parent a4406f3
commit 843718e
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/typo3/sysext/core/Classes/Database/QueryView.php b/typo3/sysext/core/Classes/Database/QueryView.php
@@ -469,7 +469,7 @@ public function queryMaker()
                         $output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
                     }
                     $out = '<p><strong>Error: <span class="text-danger">'
-                        . $e->getMessage()
+                        . htmlspecialchars($e->getMessage())
                         . '</span></strong></p>';
                     $output .= '<h2>SQL error</h2><div>' . $out . '</div>';
                 }

diff --git a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
@@ -389,7 +389,7 @@ public function queryMaker()
                         $output .= '<h2>SQL query</h2><div><pre>' . htmlspecialchars($fullQueryString) . '</pre></div>';
                     }
                     $out = '<p><strong>Error: <span class="text-danger">'
-                        . $e->getMessage()
+                        . htmlspecialchars($e->getMessage())
                         . '</span></strong></p>';
                     $output .= '<h2>SQL error</h2><div>' . $out . '</div>';
                 }