From 5d0dcc51c9b0bf335c34320b7adef50f60a2fa46 Mon Sep 17 00:00:00 2001
From: Benjamin Mack <benni@typo3.org>
Date: Tue, 25 Nov 2014 13:15:00 +0100
Subject: [PATCH] [BUGFIX] Add hsc to new icon link in TypoScript module

As a a followup to the recent icon patch
this changes the link to be HSCed on output.

Resolves: #63320
Relates: #63309
Releases: master
Change-Id: Ief51923f1442b3d1bc5b08f1da10e01be86cfe22
Reviewed-on: http://review.typo3.org/34598
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
---
 .../Controller/TypoScriptTemplateModuleController.php        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/tstemplate/Classes/Controller/TypoScriptTemplateModuleController.php b/typo3/sysext/tstemplate/Classes/Controller/TypoScriptTemplateModuleController.php
index 204a62921b7d..4c66fadc19c6 100644
--- a/typo3/sysext/tstemplate/Classes/Controller/TypoScriptTemplateModuleController.php
+++ b/typo3/sysext/tstemplate/Classes/Controller/TypoScriptTemplateModuleController.php
@@ -250,9 +250,10 @@ class TypoScriptTemplateModuleController extends \TYPO3\CMS\Backend\Module\BaseS
 				// NEW button
 				$urlParameters = array(
 					'id' => $this->id,
-					'template' => 'all'
+					'template' => 'all',
+					'createExtension' => 'new'
 				);
-				$buttons['new'] = '<a href="' . BackendUtility::getModuleUrl('web_ts', array_merge($urlParameters, array('createExtension' => 'new'))) . '" title="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:db_new.php.pagetitle', TRUE) . '">' . IconUtility::getSpriteIcon('actions-document-new') . '</a>';
+				$buttons['new'] = '<a href="' . htmlspecialchars(BackendUtility::getModuleUrl('web_ts', $urlParameters)) . '" title="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:db_new.php.pagetitle', TRUE) . '">' . IconUtility::getSpriteIcon('actions-document-new') . '</a>';
 				if (!empty($this->e) && !GeneralUtility::_POST('abort') && !GeneralUtility::_POST('saveclose')) {
 					// no NEW-button while edit
 					$buttons['new'] = '';
-- 
GitLab