Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SECURITY] Encode child node variables in f:asset.css view helper
Variables in child nodes like `<f:asset.css>{value}</f:asset.css>` were not encoded and allow cross-site scripting. In case values shall be taken as is, corresponding `f:format.raw` instruction has to be used. Resolves: #97900 Releases: main, 11.5, 10.4 Change-Id: Id843a41c42bbe1f74cdc4efbc117b24d20026b97 Security-Bulletin: TYPO3-CORE-SA-2022-010 Security-References: CVE-2022-36108 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75713 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
2 changed files
with
75 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters