Bug #23303
closed
Element-Browser page tree has HSC'ed <span> elements
0%
Description
See attached screenshot.
The screenshot is taken from the element browser window of an TCE group field and shows the page tree of the element browser.
I also found an & in one page title, so maybe the HSC is done twice?
(issue imported from #M15289)
Files
Updated by over 13 years ago
I can confirm this one.
Working on that now (TYPO3 Bugday).
Reproducible also in 4.4 and trunk.
Reason is
htmlspecialchars for $title in
typo3/class.browse_links.php
function wrapTitle (l. 426)
introduced in rev 8318
Updated by over 13 years ago
nav_title is htmlspecialchared in class.t3lib_treeview.php, l. 685
$title is hsc'ed in same class l. 683
so no need to do it again
Updated by Oliver Hader over 13 years ago
This issue affects all versions of TYPO3. 4.1-4.4, Trunk
Updated by Oliver Hader over 13 years ago
The attached patch fixes this issue. By analyzing the source code, we can be sure that the title for regular pages (not for files and folders) are escaped by htmlspecialchars() before. Thus, the superfluous HSC go removed. However, this opens another possibility to introduce XSS with domain names (this is currently safe due to the possible double HSC).
Updated by Lienhart Woitok over 13 years ago
The attached patch works fine for me. Thank you.
Updated by Oliver Hader over 13 years ago
- TYPO3_4-1 (rev. 8466)
- TYPO3_4-2 (rev. 8467)
- TYPO3_4-3 (rev. 8468)
- TYPO3_4-4 (rev. 8469)
- Trunk (rev. 8470)
Updated by 