[SECURITY] XSS in beuser VH

The tree Display/* ViewHelpers introduce a XSS vulnerability by
using unescaped parameters in HTML.

Change-Id: I0dadb03105d3eaa520f10f0375a46c83fa56c269
Fixes: #47086
Releases: 6.2, 6.1, 6.0
Security-Commit: 1e0f51f204efd9efacec8aef8ea08e2a8122177b
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26218
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader

typo3/sysext/beuser/Classes/ViewHelpers/Display/PagesViewHelper.php

@@ -52,7 +52,7 @@ class PagesViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractViewHelpe
 			'uid ASC'
 		);
 		while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
-			$content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
+			$content .= '<li>' . htmlspecialchars($row['title']) . ' [' . htmlspecialchars($row['uid']) . ']</li>';
 		}
 		$GLOBALS['TYPO3_DB']->sql_free_result($res);
 		return '<ul>' . $content . '</ul>';

typo3/sysext/beuser/Classes/ViewHelpers/Display/SysFileMountsViewHelper.php

@@ -52,7 +52,7 @@ class SysFileMountsViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractV
 			'title ASC'
 		);
 		while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
-			$content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
+			$content .= '<li>' . htmlspecialchars($row['title']) . ' [' . htmlspecialchars($row['uid']) . ']</li>';
 		}
 		$GLOBALS['TYPO3_DB']->sql_free_result($res);
 		return '<ul>' . $content . '</ul>';

typo3/sysext/beuser/Classes/ViewHelpers/Display/SysLanguageViewHelper.php

@@ -51,7 +51,7 @@ class SysLanguageViewHelper extends \TYPO3\CMS\Fluid\Core\ViewHelper\AbstractVie
 			'title ASC'
 		);
 		while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
-			$content .= '<li>' . $row['title'] . ' [' . $row['uid'] . ']</li>';
+			$content .= '<li>' . htmlspecialchars($row['title']) . ' [' . htmlspecialchars($row['uid']) . ']</li>';
 		}
 		$GLOBALS['TYPO3_DB']->sql_free_result($res);
 		return '<ul>' . $content . '</ul>';