[SECURITY] Avoid HTML injection in password recovery mail

The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74900 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

[SECURITY] Avoid HTML injection in password recovery mail
The `receiverName` variable used in the password recovery mail of the Extbase felogin plugin was susceptible to HTML injection due to missing sanitization. The variable is now passed thru the `f:format.htmlspecialchars` ViewHelper. Resolves: #96559 Releases: main, 11.5, 10.4 Change-Id: I60e23c161f7f2fcc87b8870345b10a4c31d7b8db Security-Bulletin: TYPO3-CORE-SA-2022-004 Security-References: CVE-2022-31049 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74900 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
47936328 · Andreas Fernandez · Oliver Hader · 3b16f036 · 47936328
Commit 47936328 authored 2 years ago by Andreas Fernandez Committed by Oliver Hader 2 years ago
--- a/typo3/sysext/felogin/Resources/Private/Email/Templates/PasswordRecovery.html
+++ b/typo3/sysext/felogin/Resources/Private/Email/Templates/PasswordRecovery.html
@@ -9,7 +9,7 @@
        {f:translate(
        key: 'forgot_validate_reset_password_html',
        extensionName: 'felogin',
-        arguments: '{ 0: receiverName, 1: recoveryLink, 2: validUntil }'
+        arguments: '{ 0: "{receiverName -> f:format.htmlspecialchars()}", 1: recoveryLink, 2: validUntil }'
        ) -> f:format.html()}
    </f:spaceless>
 </f:section>