Project

General

Profile

Actions
Copy link

Bug #92857

closed

Recycler: Contents of column "Record" are escaped/encoded twice with htmlspecialchars

Added by Andreas Stephan over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Recycler
Target version:
-
Start date:
2020-11-16
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:
Remote Sprint

Description

The contents of the column "Record" in the Recycler are escaped/encoded twice with htmlspecialchars. This leads to the display of & when the text contains an ampersand.

This issue applies to TYPO3 9.5.22 as well as 10.4.9

Actions
Copy link
 #1

Updated by Guido Schmechel almost 3 years ago

Problem still exists in v11. Not sure if we could safely remove this htmlspecialchars(). The recycler use getPageRecordTitle() which can be influenced via custom "label_userFunc". And there doesn't have to be htmlspecialchars. The security team should give feedback on this.

I don't know if there is a cleaner detection, maybe you could check on htmlspecialchars() and then handle it as the case may be.

Actions
Copy link
 #2

Updated by Mathias Schreiber about 2 years ago

  • Sprint Focus set to Remote Sprint
Actions
Copy link
 #3

Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065

Actions
Copy link
 #4

Updated by Simon Schaufelberger about 2 years ago

  • % Done changed from 0 to 100
  • PHP Version deleted (7.3)
Actions
Copy link
 #5

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065

Actions
Copy link
 #6

Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74065

Actions
Copy link
 #7

Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/74071

Actions
Copy link
 #8

Updated by Anonymous about 2 years ago

  • Status changed from Under Review to Resolved
Actions
Copy link
 #9

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF