TYPO3 Core

When calling

\TYPO3\CMS\Backend\Utility\BackendUtility::thumbCode

its 8th parameter, variable $tparams ("Optional: $tparams is additional attributes for the image tags"), does not do anything or to much depending on case: calling it with FAL reference or parameter $uploaddir.

1. When calling with FAL reference the parameter does not do anything, since the variable is not used in the code (BackendUtility.php:1348-1411)
   Line 1398

    $imgTag = '<img ' . GeneralUtility::implodeAttributes($attributes, true) . '/>';

   should make use of that variable.
2. When using the $uploaddir parameter (BackendUtility.php:1413-1476) it is used in generating the image tag, cf. line 1458:

   $image = '<img src="' . htmlspecialchars($imageUrl) . '" hspace="2" border="0" title="' . htmlspecialchars($fileObject->getName()) . '"' . $tparams . ' alt="" />';

   
   Yet, the possible additional attributes "hspace" and "border", for example, are already present in that line.

=> The variable should also be used in the first case.
=> Any string which is passed through the variable should be chcecked if it is a viable attribute of an img-tag before being added to the final result.