Bug #84591

Updated by Oliver Hader almost 2 years ago

> Today i build for a customer a CacheManipulateClass to flush a few news caches. (Please do not judge these flush cache way. I know about clearCacheCmd)
>
> Context: Regular be login and a sitepackage extension which register this class.
>
> Proof of Concept: My class add this identifier
>

<pre>
/**
* @param array $cacheActions
* @param array $optionValues
*
* @return void
*/
public function manipulateCacheActions(&$cacheActions, &$optionValues)
{
$iconFactory = GeneralUtility::makeInstance(IconFactory::class);
$cacheActions[] = [
'id' => 'news_clear_cache',
'title' => 'Flush news caches',
'description' => 'Clear fluid cache for frontend pages with news',
'href' => (new UriBuilder())->buildUriFromRoute('news_clear_cache'),
'icon' => '<script>alert(document.cookie);</script>'
];
}
</pre>

> In TYPO3 7.6.x the Cache manipulator hast he option „icon“ which will be handled at TYPO3/v7/typo3/sysext/backend/Classes/Backend/ToolbarItems/ClearCacheToolbarItem.php
> In the function getDropdown (line 160) the function called $cacheAction[‚icon‘] without htmlspecialchars().

Back