[SECURITY] XSS in file list through file extension

FAL currently filters invalid characters from file names stored by its
API. However, this sanitization took no effect when the file was placed
by e.g. uploads via FTP, which doesn't trigger FAL.

This patch adds a missing `htmlspecialchars` call when the file
extension is rendered and could not be sanitized before due to mentioned
circumstances.

Resolves: #88931
Releases: master, 9.5, 8.7
Security-Commit: 296c6a6723826b4ad2babbb1de5b9d23dfd256ea
Security-Bulletin: TYPO3-CORE-SA-2019-023
Change-Id: I24cbc623f6390944a608eadf3ebe7a13d294e0ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62717


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/filelist/Classes/FileList.php

@@ -1003,7 +1003,7 @@ class FileList
                         $theData[$field] = '' . (!$fileObject->checkActionPermission('read') ? ' ' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('read')) . '</strong>') . (!$fileObject->checkActionPermission('write') ? '' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('write')) . '</strong>');
                         break;
                     case 'fileext':
-                        $theData[$field] = strtoupper($ext);
+                        $theData[$field] = htmlspecialchars(strtoupper($ext));
                         break;
                     case 'tstamp':
                         $theData[$field] = BackendUtility::date($fileObject->getModificationTime());