From 5e2a9d4ea2b128dcaec9866b47203dbc10e7648c Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Thu, 14 Dec 2023 12:20:48 +0100
Subject: [PATCH] [TASK] Sanitize embedded HTML in Installation-Wide
Configuration GUI
Input data is statically provided by EXT:core only, so there is no
security issue known right now. This change is a preparation to avoid
possible future security issues.
Resolves: #102676
Releases: main, 12.4, 11.5
Change-Id: I49a7fdd250e8ce74fdde07ad305cbae7e4af8ec3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82234
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
---
.../Settings/LocalConfiguration/SubSection.html | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html b/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
index c20d52693640..0128fba88c06 100644
--- a/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
+++ b/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
@@ -43,7 +43,7 @@
<f:if condition="{f:count(subject: item.allowedValues)} || {item.dataType} == 'dropdown'">
<f:then>
<div class="form-group">
- <div class="form-description">{item.description -> f:format.raw()}</div>
+ <div class="form-description">{item.description -> f:sanitize.html()}</div>
<select data-path="{sectionName}/{item.key}" class="t3-install-form-input-text form-select t3js-localConfiguration-pathValue" {f:if(condition: '!{isWritable}', then: 'disabled')}>
<f:for each="{item.allowedValues}" key="optionKey" as="optionLabel">
<option value="{optionKey}" {f:if(condition: '{item.value} == {optionKey}', then: 'selected="selected"')}>{optionLabel} ({optionKey})</option>
@@ -65,7 +65,7 @@
{f:if(condition: '!{isWritable}', then: 'disabled')}
/>
<label class="form-check-label" for="{sectionName}_{item.key}">
- {item.description -> f:format.raw()}
+ {item.description -> f:sanitize.html()}
</label>
</div>
</f:if>
@@ -73,7 +73,7 @@
<f:if condition="{item.type} == 'input'">
<div class="form-group">
<f:if condition="{item.description}">
- <div class="form-description">{item.description -> f:format.raw()}</div>
+ <div class="form-description">{item.description -> f:sanitize.html()}</div>
</f:if>
<input
type="text"
@@ -89,7 +89,7 @@
<f:if condition="{item.type} == 'password'">
<div class="form-group">
<f:if condition="{item.description}">
- <div class="form-description">{item.description -> f:format.raw()}</div>
+ <div class="form-description">{item.description -> f:sanitize.html()}</div>
</f:if>
<input
type="password"
@@ -105,7 +105,7 @@
<f:if condition="{item.type} == 'number'">
<div class="form-group">
<f:if condition="{item.description}">
- <div class="form-description">{item.description -> f:format.raw()}</div>
+ <div class="form-description">{item.description -> f:sanitize.html()}</div>
</f:if>
<input
type="number"
@@ -122,7 +122,7 @@
<f:if condition="{item.type} == 'textarea'">
<div class="form-group">
<f:if condition="{item.description}">
- <div class="form-description">{item.description -> f:format.raw()}</div>
+ <div class="form-description">{item.description -> f:sanitize.html()}</div>
</f:if>
<textarea
rows="5"
--
GitLab