Task #69062
Updated by Frans Saris over 9 years ago
Some form tag attributes are directly fetched from configuration without being escaped by htmlspecialchars().
For instance:
<pre>
$class = $config['class'];
if ($type !== 'check') {
$class .= ' form-control';
}
$style = $config['style'];
if ($class) {
$more .= ' class="' . $class . '"';
}
...
$html = '<input id="field_' . $fieldName . '"
type="' . $type . '"
name="data' . $dataAdd . '[' . $fieldName . ']" ' .
$noAutocomplete .
'value="' . htmlspecialchars($value) . '" ' .
$more .
' />';
</pre>
See also: https://review.typo3.org/#/c/41780/13/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
We need to make sure all added attributes are properly escaped.