Bug #28825
closed
Using an apostrophe in the Workspace Name causes quite blank backend
Added by Ingo Pfennigstorf over 13 years ago.
Updated about 6 years ago.
Description
When you add a workspace with a name like "Sonja's Workspace" and try to switch to it only the upper menu bar in the backend will show up, the other parts are left blank.
Though it might be clear for information scientists, editors do use names like this.
The error seemed to appear in typo3/js/modulemenu.js - so i'm not really sure whether it's a core issue or belongs to the workspace team.
- Project changed from 624 to 1716
- Category deleted (
Bugs)
This sounds like a security issue, we have to check it.
Confirmed as XSS
When switching to the accordant workspace, next to the user's name the title of the active workspace is shown - without sanitation...
Classical XSS, however sys_workspaces records can only be edited on root level - so only admins can introduce the XSS...
- Status changed from New to Accepted
Wasn't the decision of the security team that issues, which can only be introduced by admins are not treated as security issues? So I think we can handle this one publicly (however, have no problem, if not).
Yes, it is an issue which only an admin can exploit. We can assign this to the public workspace project.
- Project changed from 1716 to 624
- Status changed from Accepted to New
- Status changed from New to Accepted
- Assignee set to Marco Bresch
Patch set 1 of change I66bf3864d10d713dda8e64cbde0846ef1a810868 has been pushed to the review server.
It is available at http://review.typo3.org/6632
- % Done changed from 0 to 50
Patch for 4.5 coming soon
- Status changed from Accepted to Under Review
- % Done changed from 50 to 100
Patch set 1 works fine for 4.5 too.
Patch set 2 of change I66bf3864d10d713dda8e64cbde0846ef1a810868 has been pushed to the review server.
It is available at http://review.typo3.org/6632
Patch set 1 of change I0c3be5d93d6c0413df80b3b5386c0da9a7719c86 has been pushed to the review server.
It is available at http://review.typo3.org/6738
Patch set 1 of change Ie5eb328fafad556febc95b73f0bb31f1cc3713fa has been pushed to the review server.
It is available at http://review.typo3.org/6739
- Status changed from Under Review to Resolved
- Category set to Workspaces
- Project changed from 624 to TYPO3 Core
- Category changed from Workspaces to Workspaces
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by