[SECURITY] Prevent XSS in EXT:form error message output

Resolves: #88629 Releases: master, 9.5, 8.7 Security-Commit: df38c239aa9c627fb7b6f1c384d45ff0940d98fa Security-Bulletin: TYPO3-CORE-SA-2019-021 Change-Id: Ib12dc0affe7f15f1869cff57ea09d9999a0d632a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62715 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

[SECURITY] Prevent XSS in EXT:form error message output
Resolves: #88629 Releases: master, 9.5, 8.7 Security-Commit: df38c239aa9c627fb7b6f1c384d45ff0940d98fa Security-Bulletin: TYPO3-CORE-SA-2019-021 Change-Id: Ib12dc0affe7f15f1869cff57ea09d9999a0d632a Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62715 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
37ed78a1 · Frank Naegler · Oliver Hader · 24e9e17a · 37ed78a1
Commit 37ed78a1 authored 5 years ago by Frank Naegler Committed by Oliver Hader 5 years ago
--- a/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html
+++ b/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html
@@ -10,7 +10,7 @@
                <f:if condition="{validationResults.flattenedErrors}">
                    <span class="error help-block" role="alert">
                        <f:for each="{validationResults.errors}" as="error">
-                            {formvh:translateElementError(element: element, error: error)}
+                            <f:format.htmlspecialchars>{formvh:translateElementError(element: element, error: error)}</f:format.htmlspecialchars>
                            <br />
                        </f:for>
                    </span>