Bug #75016

Prevent XSS in fluid viewhelpern

Added by Nicole Cordes over 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
Category:
Fluid
Target version:
Start date:
2016-03-11
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
Stabilization Sprint

Description

There are some viewhelpers which miss to escape incoming variables and cause XSS entry points.

1. Set up a TYPO3 instance with current master
2. Include "fluid_stlyed_content" in root template
3. Create a content element of type "header"
4. Set the header field to "<script>alert('header xss');</script>"
5. Open page in frontend.

#1

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193

#2

Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193

#3

Updated by Gerrit Code Review over 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193

#4

Updated by Gerrit Code Review over 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47193

#5

Updated by Markus Klein over 5 years ago

  • Sprint Focus set to Stabilization Sprint
#6

Updated by Nicole Cordes over 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#7

Updated by Riccardo De Contardi over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF