From 65a5246cdf51ddec7e9c6f4879669acb6fe629b1 Mon Sep 17 00:00:00 2001
From: Oliver Bartsch <bo@cedev.de>
Date: Tue, 16 Mar 2021 10:39:31 +0100
Subject: [PATCH] [SECURITY] Mitigate XSS in PreviewRenderer for menus

The content element preview for menus displays the
menu type label along with the record title of the
defined pages and categories. Since the output was
not properly encoded, this led to a XSS vulnerability
in the page module.

The issue is addressed by properly encoding user input.

Note: Because of a bug in `PreviewRenderer`, the
vulnerable code was most likely not executed in any
TYPO3 installation after v8.6.0.

Resolves: #93664
Releases: master, 11.1, 10.4, 9.5
Change-Id: I56ec17f5f07ff4d7c28f2241e0c9eeee9affd71f
Security-Bulletin: TYPO3-CORE-SA-2021-008
Security-References: CVE-2021-21370
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68453
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../Classes/Preview/StandardContentPreviewRenderer.php        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php b/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php
index 016c91207e4f..cba9fa6adb41 100644
--- a/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php
+++ b/typo3/sysext/backend/Classes/Preview/StandardContentPreviewRenderer.php
@@ -135,7 +135,7 @@ class StandardContentPreviewRenderer implements PreviewRendererInterface, Logger
                     BackendUtility::getLabelFromItemListMerged($record['pid'], 'tt_content', 'menu_type', $record['menu_type'])
                 );
                 $menuTypeLabel = $menuTypeLabel ?: 'invalid menu type';
-                $out .= $this->linkEditContent($menuTypeLabel, $record);
+                $out .= $this->linkEditContent(htmlspecialchars($menuTypeLabel), $record);
                 if ($record['menu_type'] !== '2' && ($record['pages'] || $record['selected_categories'])) {
                     // Show pages if menu type is not "Sitemap"
                     $out .= ':' . $this->linkEditContent($this->generateListForCTypeMenu($record), $record) . '<br />';
@@ -379,7 +379,7 @@ class StandardContentPreviewRenderer implements PreviewRendererInterface, Logger
         foreach ($uidList as $uid) {
             $uid = (int)$uid;
             $pageRecord = BackendUtility::getRecord($table, $uid, 'title');
-            $content .= '<br>' . $pageRecord['title'] . ' (' . $uid . ')';
+            $content .= '<br>' . htmlspecialchars($pageRecord['title']) . ' (' . $uid . ')';
         }
         return $content;
     }
-- 
GitLab