Code injection possible in Search field
|Priority:||Must have||Due date:|
|Assignee:||Ingo Renner||% Done:||
|TYPO3 Version:||Has patch:|
When using quotes in the search field it is possible to insert HTML to the page.
"></div><h1>Code injection</h1><hr class="ci
FIX: quotes should be replaced by "e;
|related to Apache Solr for TYPO3 CMS - Bug #8036: UTF8 chars in search string are not displayed correct in ...||Resolved||2010-06-02|
Updated by Ingo Renner about 3 years ago
- Category set to Frontend Plugins
- Status changed from New to Resolved
- Assignee set to Ingo Renner
- Target version set to 1.1
- % Done changed from 0 to 100
resolved by adding htmlentities() with ENT_QUOTES option, t3lib_div::removeXSS() was already in place though, so that no harmful HTML could be inserted.