[SECURITY] Mitigate XSS in viewpage

The `viewpage` module contains a preset selection, where users can select different browser viewports. Since the corresponding preset labels, configurable via TSconfig, had not been encoded properly, is was vulnerable to XSS. The issue is addressed by properly encoding the labels. Resolves: #93702 Releases: master, 11.3, 10.4, 9.5 Change-Id: Ia22c5ab4332816614dd07a93d7e739d9fc1d8bac Security-Bulletin: CORE-SA-2021-009 Security-References: CVE-2021-32667 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/69987 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 20, 2021 · a4406f3 · a4406f3
1 parent 5a49b34
commit a4406f3
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/Build/Sources/TypeScript/viewpage/Resources/Public/TypeScript/Main.ts b/Build/Sources/TypeScript/viewpage/Resources/Public/TypeScript/Main.ts
@@ -14,6 +14,7 @@
 import $ from 'jquery';
 import 'jquery-ui/resizable';
 import PersistentStorage = require('TYPO3/CMS/Backend/Storage/Persistent');
+import SecurityUtility = require('TYPO3/CMS/Core/SecurityUtility');
 
 enum Selectors {
   resizableContainerIdentifier = '.t3js-viewpage-resizeable',
@@ -58,7 +59,7 @@ class ViewPage {
   }
 
   private static setLabel(label: string): void {
-    $(Selectors.currentLabelSelector).html(label);
+    $(Selectors.currentLabelSelector).html((new SecurityUtility()).encodeHtml(label));
   }
 
   private static getCurrentLabel(): string {

diff --git a/typo3/sysext/viewpage/Resources/Public/JavaScript/Main.js b/typo3/sysext/viewpage/Resources/Public/JavaScript/Main.js