typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php · 2f35faff5a3f450fb6fa153dd49f8b0c2be0f6f7 · TYPO3 / TYPO3.CMS

[SECURITY] XSS in PreviewRenderer with descriptions · 2f35faff

Andreas Fernandez authored Mar 16, 2021

The PreviewRenderer pattern introduced with #78450 makes use of the TCA
feature `descriptionColumn` to render the content of this column in a
content element's preview in the page module.

The content of the column however was not properly escaped allowing
a persistent XSS abuse.

This patch adds a `htmlspecialchars()` to the output to escape the
content properly

Resolves: #93562
Related: #78450
Releases: master, 11.1, 10.4
Change-Id: I144c6c2d7f4f61f4479fac3c2d400a21f5d72405
Security-Bulletin: TYPO3-CORE-SA-2021-007
Security-References: CVE-2021-21340
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68452


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

2f35faff