Bug #23474

includeCSS path-string pass htmlspecialchars twice

Added by Arno Dudek over 8 years ago. Updated 6 months ago.

Should have
Target version:
Start date:
Due date:
% Done:


TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


There is an issue by including an external CSS file with parameters. I use it in a ViewHelper class in this way:

$GLOBALS['TSFE']->pSetup[$position][$key] = $path;
$GLOBALS['TSFE']->pSetup[$position][$key . '.'] = array(
'media' => $media,

$path looks like:
http://localhost/?type=123456788&cHash=a7a8da9a0538718db5b98d003bfedd6e […]

The output is:
http://localhost/?type=123456788&cHash=a7a8da9a0538718db5b98d003bfedd6e […]

You'll see the path-string pass htmlspecialchars twice:
1. class.tslib_pagegen.php line 546
2. class.t3lib_pagerenderer.php line 1105

solution replace in class.tslib_pagegen.php line 546

lg ad

(issue imported from #M15587)

patch_15587.diff View (4.89 KB) Administrator Admin, 2010-10-29 22:32


#1 Updated by Mikkel Ricky over 8 years ago

Uploaded patch for resolving issue.

in "typo3/sysext/cms/tslib/class.tslib_pagegen.php" all htmlspecialchars calls are removed from method calls to

  • t3lib_PageRenderer::addCssFile
  • t3lib_PageRenderer::addJsLibrary
  • t3lib_PageRenderer::addJsFooterLibrary
  • t3lib_PageRenderer::addJsFile
  • t3lib_PageRenderer::addJsFooterFile

In "t3lib/class.t3lib_pagerenderer.php" additional htmlspecialchars calls are added when rendering html output.

#2 Updated by Steffen Gebert over 8 years ago

But isn't the & supposed to be replaced by & in the output?

So I think it would be okay to remove the htmlspecialchars() in t3lib_pagegen (to handle URLs in PHP without escaped &), but not in t3lib_PageRenderer, as output should be escaped.

All without testing, so just my assumption.

#3 Updated by Mikkel Ricky over 8 years ago

The patch only removes calls to htmlspecialchars() in typo3/sysext/cms/tslib/class.tslib_pagegen.php.

htmlspecialchars() are still used in "t3lib/class.t3lib_pagerenderer.php" when rendering the actual html output, and the patch adds htmlspecialchars() around all attribute values when rendering the output.
For all practical purposes it shouldn't be necessary to send e.g. "media" and "type" attribute values though htmlspecialchars(), but it's better to be safe than sorry.

#4 Updated by Steffen Gebert over 8 years ago

Ah, sorry.. today the patch looks different than last night, I swear :D

Makes sense I think.

#5 Updated by Steffen Kamper over 8 years ago

Committed to svn
4_4 rev 9292
trunk rev 9293

#6 Updated by Benni Mack 6 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF