Bug #23303
closed
Element-Browser page tree has HSC'ed <span> elements
Added by Lienhart Woitok almost 14 years ago.
Updated over 13 years ago.
Description
See attached screenshot.
The screenshot is taken from the element browser window of an TCE group field and shows the page tree of the element browser.
I also found an & in one page title, so maybe the HSC is done twice?
(issue imported from #M15289)
Files
I can confirm this one.
Working on that now (TYPO3 Bugday).
Reproducible also in 4.4 and trunk.
Reason is
htmlspecialchars for $title in
typo3/class.browse_links.php
function wrapTitle (l. 426)
introduced in rev 8318
nav_title is htmlspecialchared in class.t3lib_treeview.php, l. 685
$title is hsc'ed in same class l. 683
so no need to do it again
This issue affects all versions of TYPO3. 4.1-4.4, Trunk
The attached patch fixes this issue. By analyzing the source code, we can be sure that the title for regular pages (not for files and folders) are escaped by htmlspecialchars() before. Thus, the superfluous HSC go removed. However, this opens another possibility to introduce XSS with domain names (this is currently safe due to the possible double HSC).
The attached patch works fine for me. Thank you.
Committed to SVN:
- TYPO3_4-1 (rev. 8466)
- TYPO3_4-2 (rev. 8467)
- TYPO3_4-3 (rev. 8468)
- TYPO3_4-4 (rev. 8469)
- Trunk (rev. 8470)
released in
4.1.15
4.2.14
4.3.5
4.4.2
Also available in: Atom
PDF