Bug #60069

Objects cast to string are not escaped

Added by Philipp Maier over 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Must have
Category:
ViewHelpers
Target version:
-
Start date:
2014-07-03
Due date:
% Done:

100%

Estimated time:
Has patch:
No

Description

Basically if you have a class like this:

class HelloWorld {
public function __toString() { return '<script>alert("hello world");</script>' }
}

and you assign it as a fluid variable like this:

$this->view->assign('helloworld', new HelloWorld());

and have a template like this:

{helloworld}

you're going to have a bad time.


Related issues

Related to TYPO3 Core - Bug #60082: Backport: Objects cast to string are not escapedClosed2014-07-03

Actions
#1

Updated by Bastian Waidelich over 7 years ago

  • Category set to Core
  • Status changed from New to Accepted
  • Assignee set to Bastian Waidelich

This is bad, thanks for reporting!

#2

Updated by Philipp Maier over 7 years ago

I forgot to mention that the CMS version behaves the very same way.
Should I create an issue in that bugtracker as well?

#3

Updated by Bastian Waidelich over 7 years ago

  • Category changed from Core to ViewHelpers
#4

Updated by Bastian Waidelich over 7 years ago

Philipp Maier wrote:

I forgot to mention that the CMS version behaves the very same way.
Should I create an issue in that bugtracker as well?

es that would be great!

FYI: the culprit is line 66 of https://git.typo3.org/Packages/TYPO3.Fluid.git/blob/HEAD:/Classes/TYPO3/Fluid/ViewHelpers/Format/HtmlspecialcharsViewHelper.php#l66

and a possible fix is to replace

if (!is_string($value)) {

by

if (!is_string($value) && !(is_object($value) && method_exists($value, '__toString'))) {

#5

Updated by Philipp Maier over 7 years ago

Cool that you found the issue already!

Copied the Bug to the CMS Tracker:
http://forge.typo3.org/issues/60082

#6

Updated by Gerrit Code Review over 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.Fluid has been pushed to the review server.
It is available at https://review.typo3.org/31312

#7

Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.Fluid has been pushed to the review server.
It is available at https://review.typo3.org/31312

#8

Updated by Bastian Waidelich over 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#9

Updated by Gerrit Code Review about 7 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 2.2 of project Packages/TYPO3.Fluid has been pushed to the review server.
It is available at http://review.typo3.org/32230

#10

Updated by Gerrit Code Review about 7 years ago

Patch set 1 for branch 2.1 of project Packages/TYPO3.Fluid has been pushed to the review server.
It is available at http://review.typo3.org/32231

#11

Updated by Bastian Waidelich about 7 years ago

  • Status changed from Under Review to Resolved

Also available in: Atom PDF