From 599646bd98dfb09fe52ab5f9ac0d1b3804920224 Mon Sep 17 00:00:00 2001
From: Steffen Kamper <info@sk-typo3.de>
Date: Thu, 20 Jan 2011 23:42:01 +0000
Subject: [PATCH] Fixed bug #17133: Pagetree - qtip can be used to execute
 custom javascript (XSS) (Thanks to Stefan Galinski)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@10182 709f56b5-9817-0410-a4d7-c38de5d9e867
---
 ChangeLog                                                  | 1 +
 t3lib/tree/pagetree/class.t3lib_tree_pagetree_commands.php | 6 ++++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 835552e9e17a..caf28985e039 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,7 @@
 
 2011-01-20  Steffen Kamper  <steffen@typo3.org>
 
+	* Fixed bug #17133: Pagetree - qtip can be used to execute custom javascript (XSS) (Thanks to Stefan Galinski)
 	* Follow-up to #17153: Protect C(R)UD actions against CSRF - Add token to ExtDirect calls (Thanks to Stefan Galinski)
 	* Fixed bug #17178: Rename extension "list" to "recordlist"
 	* Fixed bug #17162: Missing localization in t3lib_tsstyleconfig
diff --git a/t3lib/tree/pagetree/class.t3lib_tree_pagetree_commands.php b/t3lib/tree/pagetree/class.t3lib_tree_pagetree_commands.php
index 9100061258f3..4e9b12d4f7a5 100644
--- a/t3lib/tree/pagetree/class.t3lib_tree_pagetree_commands.php
+++ b/t3lib/tree/pagetree/class.t3lib_tree_pagetree_commands.php
@@ -288,9 +288,11 @@ final class t3lib_tree_pagetree_Commands {
 		$subNode = t3lib_div::makeInstance('t3lib_tree_pagetree_Node');
 		$subNode->setRecord($record);
 		$subNode->setCls($record['_CSSCLASS']);
-		$subNode->setQTip(str_replace(' - ', '<br />', t3lib_BEfunc::titleAttribForPages($record, '', FALSE)));
 		$subNode->setType('pages');
 
+		$qtip = t3lib_BEfunc::titleAttribForPages($record, '', FALSE);
+		$subNode->setQTip(str_replace(' - ', '<br />', htmlspecialchars($qtip)));
+
 		$subNode->setId($record['uid']);
 		$subNode->setMountPoint($mountPoint);
 		$subNode->setWorkspaceId(($record['_ORIG_uid'] ? $record['_ORIG_uid'] : $record['uid']));
@@ -337,4 +339,4 @@ final class t3lib_tree_pagetree_Commands {
 	}
 }
 
-?>
\ No newline at end of file
+?>
-- 
GitLab