[SECURITY] XSS in Filelist

Properly escape user input when showing error messages during file renaming. Resolves: #59211 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-004 Change-Id: Iffafad7282445d51fa244f3b31e6886b0b0f65b6 Reviewed-on: http://review.typo3.org/40806 Reviewed-by: Benjamin Mack <benni@typo3.org> Tested-by: Benjamin Mack <benni@typo3.org> Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org> Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

[SECURITY] XSS in Filelist
Properly escape user input when showing error messages during file renaming. Resolves: #59211 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-004 Change-Id: Iffafad7282445d51fa244f3b31e6886b0b0f65b6 Reviewed-on: http://review.typo3.org/40806 Reviewed-by: Benjamin Mack <benni@typo3.org> Tested-by: Benjamin Mack <benni@typo3.org> Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org> Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
6fa4c8e3 · Markus Bucher · Benjamin Mack · 1757b4d7 · 6fa4c8e3
Commit 6fa4c8e3 authored 10 years ago by Markus Bucher Committed by Benjamin Mack 9 years ago
--- a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
+++ b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -275,7 +275,7 @@ class ExtendedFileUtility extends BasicFileUtility {
 		foreach ($this->getErrorMessages() as $msg) {
 			$flashMessage = GeneralUtility::makeInstance(
 				FlashMessage::class,
-				$msg,
+				htmlspecialchars($msg),
 				'',
 				FlashMessage::ERROR,
 				TRUE