Bug #75016
closedPrevent XSS in fluid viewhelpern
100%
Description
There are some viewhelpers which miss to escape incoming variables and cause XSS entry points.
1. Set up a TYPO3 instance with current master
2. Include "fluid_stlyed_content" in root template
3. Create a content element of type "header"
4. Set the header field to "<script>alert('header xss');</script>"
5. Open page in frontend.
Updated by Gerrit Code Review about 8 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193
Updated by Gerrit Code Review about 8 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193
Updated by Gerrit Code Review about 8 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193
Updated by Gerrit Code Review about 8 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193
Updated by Markus Klein about 8 years ago
- Sprint Focus set to Stabilization Sprint
Updated by Nicole Cordes about 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c7c28e6b37ce8b9a0d445f7c9030dfa0771227d6.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed