From 1d5985b43ac84a4b47446253a4653c31e6c7be57 Mon Sep 17 00:00:00 2001
From: Christian Kuhn <lolli@schwarzbu.ch>
Date: Mon, 31 Jul 2023 19:39:25 +0200
Subject: [PATCH] [BUGFIX] Ensure string in htmlspecialchars()
When select fields with db relations allow pages
records, the DatabaseBrowser tries to render an
icon from the page row. uid of that row may be
an int, which needs to be cast to string to be
fed to htmlspecialchars().
Resolves: #101513
Related: #100819
Releases: main, 12.4, 11.5
Change-Id: I52ee031cb0eb09f41ae8ecb6d7005f03e65de3bd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80285
Tested-by: core-ci <typo3@b13.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
---
typo3/sysext/recordlist/Classes/Browser/DatabaseBrowser.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/typo3/sysext/recordlist/Classes/Browser/DatabaseBrowser.php b/typo3/sysext/recordlist/Classes/Browser/DatabaseBrowser.php
index c500e7a80331..351526c00506 100644
--- a/typo3/sysext/recordlist/Classes/Browser/DatabaseBrowser.php
+++ b/typo3/sysext/recordlist/Classes/Browser/DatabaseBrowser.php
@@ -149,7 +149,7 @@ class DatabaseBrowser extends AbstractElementBrowser implements ElementBrowserIn
$out .= '<p>' . $this->iconFactory->getIconForRecord('pages', $mainPageRecord, Icon::SIZE_SMALL)->render() . ' ';
if (in_array('pages', $tablesArr, true)) {
- $out .= '<span data-uid="' . htmlspecialchars($mainPageRecord['uid']) . '" data-table="pages" data-title="' . htmlspecialchars($mainPageRecord['title']) . '">';
+ $out .= '<span data-uid="' . htmlspecialchars((string)$mainPageRecord['uid']) . '" data-table="pages" data-title="' . htmlspecialchars($mainPageRecord['title']) . '">';
$out .= '<a href="#" data-close="0">'
. $this->iconFactory->getIcon('actions-add', Icon::SIZE_SMALL)->render()
. '</a>'
--
GitLab