From 1fa553dac2291cfb8f48f9b6a850ee2cb2663728 Mon Sep 17 00:00:00 2001
From: Wouter Wolters <typo3@wouterwolters.nl>
Date: Thu, 17 Aug 2017 13:32:01 +0200
Subject: [PATCH] [BUGFIX] Prevent XSS in PageLayoutController

Correctly use htmlspecialchars for the link.

Resolves: #82077
Releases: master,8.7,7.6
Change-Id: I87ea4010aa187f5f601c31423fb1a0fc05a23107
Reviewed-on: https://review.typo3.org/53719
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
---
 .../backend/Classes/Controller/PageLayoutController.php       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Controller/PageLayoutController.php b/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
index effd5c3b181d..261143df6114 100644
--- a/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
+++ b/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
@@ -519,7 +519,7 @@ class PageLayoutController
                 } else {
                     $linkToPid = $this->local_linkThisScript(['id' => $targetPage['uid']]);
                     $path = BackendUtility::getRecordPath($targetPage['uid'], $this->getBackendUser()->getPagePermsClause(Permission::PAGE_SHOW), 1000);
-                    $linkedPath = '<a href="' . $linkToPid . '">' . htmlspecialchars($path) . '</a>';
+                    $linkedPath = '<a href="' . htmlspecialchars($linkToPid) . '">' . htmlspecialchars($path) . '</a>';
                     $message .= sprintf($lang->getLL('pageIsInternalLinkMessage'), $linkedPath);
                 }
 
@@ -567,7 +567,7 @@ class PageLayoutController
             $contentPage = BackendUtility::getRecord('pages', (int)$this->pageinfo['content_from_pid']);
             $linkToPid = $this->local_linkThisScript(['id' => $this->pageinfo['content_from_pid']]);
             $title = BackendUtility::getRecordTitle('pages', $contentPage);
-            $link = '<a href="' . $linkToPid . '">' . htmlspecialchars($title) . ' (PID ' . (int)$this->pageinfo['content_from_pid'] . ')</a>';
+            $link = '<a href="' . htmlspecialchars($linkToPid) . '">' . htmlspecialchars($title) . ' (PID ' . (int)$this->pageinfo['content_from_pid'] . ')</a>';
             $message = sprintf($lang->getLL('content_from_pid_title'), $link);
             $view->assignMultiple([
                 'title' => $title,
-- 
GitLab