From 3b16f036858ccdf3af8d7958fae7f449b6838bb9 Mon Sep 17 00:00:00 2001
From: Gabe Troyan <gabe+typo3org@ecopixel.com>
Date: Tue, 14 Jun 2022 09:12:22 +0200
Subject: [PATCH] [SECURITY] Ensure text preview of multivalue items in form
 editor

Multivalue items in the form editor user interface were previewed
as HTML, but should be treated as scalar text only.

Resolves: #96743
Releases: main, 11.5, 10.4
Change-Id: I5e8dab26119490ecf19ac5d48c2bc7a5a00daaad
Security-Bulletin: TYPO3-CORE-SA-2022-003
Security-References: CVE-2022-31048
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74899
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../JavaScript/Backend/FormEditor/StageComponent.js  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/typo3/sysext/form/Resources/Public/JavaScript/Backend/FormEditor/StageComponent.js b/typo3/sysext/form/Resources/Public/JavaScript/Backend/FormEditor/StageComponent.js
index bb1eeba8af0d..99322e8dceb3 100644
--- a/typo3/sysext/form/Resources/Public/JavaScript/Backend/FormEditor/StageComponent.js
+++ b/typo3/sysext/form/Resources/Public/JavaScript/Backend/FormEditor/StageComponent.js
@@ -455,10 +455,10 @@ define(['jquery',
      */
     function setStageHeadline(title) {
       if (getUtility().isUndefinedOrNull(title)) {
-        title = buildTitleByFormElement();
+        title = buildTitleByFormElement().text();
       }
 
-      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).html(title);
+      $(getHelper().getDomElementDataIdentifierSelector('stageHeadline')).text(title);
     };
 
     /**
@@ -923,10 +923,10 @@ define(['jquery',
 
       getHelper()
         .getTemplatePropertyDomElement('_type', template)
-        .append(getFormElementDefinition(formElement, 'label'));
+        .append(document.createTextNode(getFormElementDefinition(formElement, 'label')));
       getHelper()
         .getTemplatePropertyDomElement('_identifier', template)
-        .append(formElement.get('identifier'));
+        .append(document.createTextNode(formElement.get('identifier')));
     };
 
     /**
@@ -971,7 +971,7 @@ define(['jquery',
 
             getHelper()
               .getTemplatePropertyDomElement('_label', rowTemplate)
-              .append(collectionElementConfiguration['label']);
+              .append(document.createTextNode(collectionElementConfiguration['label']));
             $(getHelper().getDomElementDataIdentifierSelector('validatorsContainer'), $(template))
               .append(rowTemplate.html());
           }
@@ -1031,7 +1031,7 @@ define(['jquery',
           }
         }
 
-        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(label);
+        getHelper().getTemplatePropertyDomElement('_label', rowTemplate).append(document.createTextNode(label));
 
         if (isPreselected) {
           getHelper().getTemplatePropertyDomElement('_label', rowTemplate).addClass(
-- 
GitLab