« Previous | Next » 

Revision 4b57a840


Added by Karsten Dambekalns almost 8 years ago

[SECURITY] Remove possible XSS from ActionController Error output

The errorAction method in the ActionController base class of Flow
returns error messages without properly encoding them. Because these
error messages can contain user input, this could lead to a Cross-Site
Scripting vulnerability in Flow driven applications.

The offending output has been removed without substitution.

Hint: If you have customized the error action in your Flow application,
we advise you to check that the error messages returned in these actions
only contain static strings and are not derived from any kind of user
input. If you are not sure whether your code is fine in that regard,
feel free to ask on a public mailing list or the forum.

Fixes: #31206
Change-Id: Ic26a89a53d4301f4ca1382e99ecccf389ccb8c25
Releases: master, 2.1, 2.0, 1.1
Security-Bulletin: TYPO3-FLOW-SA-2013-001

  • added
  • modified
  • copied
  • renamed
  • deleted