TYPO3 Core

When an image is inserted with a title that contains special chars (like quotes) the title tag of the image tag is escaped correctly.

But the title tag of the surrounding link (tested in lightbox mode) is not escaped!

The reason seems to be the initialization of the $GLOBALS['TSFE']->ATagParams variable in line 668 in the render_textpic() method in the CssStyledContentController.

$GLOBALS['TSFE']->ATagParams .= ' title="' . $titleText . '"';

As far as I can see it should be used like this:

$GLOBALS['TSFE']->ATagParams .= ' title="' . htmlspecialchars($titleText) . '"';

It does not seem to be a security issue because script tags used in the image title are stripped out.