Bug #92857
closed
Recycler: Contents of column "Record" are escaped/encoded twice with htmlspecialchars
100%
Description
The contents of the column "Record" in the Recycler are escaped/encoded twice with htmlspecialchars. This leads to the display of & when the text contains an ampersand.
This issue applies to TYPO3 9.5.22 as well as 10.4.9
Updated by Guido Schmechel over 3 years ago
Problem still exists in v11. Not sure if we could safely remove this htmlspecialchars(). The recycler use getPageRecordTitle() which can be influenced via custom "label_userFunc". And there doesn't have to be htmlspecialchars. The security team should give feedback on this.
I don't know if there is a cleaner detection, maybe you could check on htmlspecialchars() and then handle it as the case may be.
Updated by
Updated by Gerrit Code Review over 2 years ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065
Updated by Simon Schaufelberger over 2 years ago
- % Done changed from 0 to 100
- PHP Version deleted (
7.3)
Updated by Gerrit Code Review over 2 years ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065
Updated by Gerrit Code Review over 2 years ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065
Updated by Gerrit Code Review over 2 years ago
Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74071
Updated by Anonymous over 2 years ago
- Status changed from Under Review to Resolved
Applied in changeset 241e6a0b3037fe79cba1efeed775461a71c7a695.
Updated by