Project

General

Profile

Actions
Copy link

Task #69062

closed

Properly escape all form attributes in SetupModuleController

Added by Frans Saris over 9 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Stefan Neufeind
Category:
-
Target version:
-
Start date:
2015-08-14
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Sprint Focus:
On Location Sprint

Description

Some form tag attributes are directly fetched from configuration without being escaped by htmlspecialchars().

For instance:

            $class = $config['class'];

            if ($type !== 'check') {
                $class .= ' form-control';
            }

            $style = $config['style'];
            if ($class) {
                $more .= ' class="' . $class . '"';
            }

...

            $html = '<input id="field_' . $fieldName . '" 
                type="' . $type . '" 
                name="data' . $dataAdd . '[' . $fieldName . ']" ' .
                $noAutocomplete .
                'value="' . htmlspecialchars($value) . '" ' .
                $more .
            ' />';

See also: https://review.typo3.org/#/c/41780/13/typo3/sysext/setup/Classes/Controller/SetupModuleController.php

We need to make sure all added attributes are properly escaped.

Actions
Copy link

Also available in: Atom PDF