Bug #84591

XSS in ToolbarItems icon rendering

Added by Oliver Hader about 3 years ago. Updated over 2 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)

Context: Regular be login and a sitepackage extension which register this class.

Proof of Concept: My class add this identifier

 * @param array $cacheActions
 * @param array $optionValues
 * @return void
public function manipulateCacheActions(&$cacheActions, &$optionValues)
    $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
    $cacheActions[] = [
        'id'          => 'news_clear_cache',
        'title'       => 'Flush news caches',
        'description' => 'Clear fluid cache for frontend pages with news',
        'href'        => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
        'icon'        => '<script>alert(document.cookie);</script>'

In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().


ext_localconf.txt (695 Bytes) ext_localconf.txt Oliver Hader, 2018-04-04 08:26
NewsClearCacheAction.txt (1.43 KB) NewsClearCacheAction.txt Oliver Hader, 2018-04-04 08:26
Routes.txt (209 Bytes) Routes.txt Oliver Hader, 2018-04-04 08:26
v7_htmlspecialchars_logo.diff (3.06 KB) v7_htmlspecialchars_logo.diff Oliver Hader, 2018-04-04 08:26

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)

Updated by Oliver Hader about 3 years ago

  • Description updated (diff)
  • Reporter set to Guido Schmechel
  • OTRS-Sec Ticket-ID set to 201802235760000013

Updated by Helmut Hummel about 3 years ago

  • Project changed from 1716 to TYPO3 Core
  • Category deleted (OW-A07: Cross Site Scripting)

can be handled publicly as the attack vector requires to be able to add PHP code


Updated by Andreas Fernandez about 3 years ago

Issue is reproducible in v7 only.

Fixing is not that easy, as the icon attribute must be a HTML string, which is generated by IconFactory, which also allows this kind of XSS.
One possible fix is that we backport the behavior of v9 and v8, which means we have an attribute called iconIdentifier instead and the icon get rendered at the required location. Downside is that this solution is breaking.

Any opinions?


Updated by Jigal van Hemert about 3 years ago

In 7LTS RemoveXSS is still available. It could be used to disable most potentially unwanted stuff (it won't give 100% protection).


Updated by Riccardo De Contardi over 2 years ago

  • Status changed from New to Closed

I close this issue (in agreement with the reporter) as it affects only v.7; if this is the wrong decision or there is still work that should be done, please reopen it or ping me

Thank you.

Also available in: Atom PDF