From 6fa4c8e3e196b8d50d0c65e4fd673cd0aded1bda Mon Sep 17 00:00:00 2001
From: Markus Bucher <markusbucher@gmx.de>
Date: Tue, 3 Jun 2014 08:06:05 +0200
Subject: [PATCH] [SECURITY] XSS in Filelist

Properly escape user input when showing error messages
during file renaming.

Resolves: #59211
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: Iffafad7282445d51fa244f3b31e6886b0b0f65b6
Reviewed-on: http://review.typo3.org/40806
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
---
 typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
index 726ddde9ff23..f9e4f58a2656 100644
--- a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
+++ b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -275,7 +275,7 @@ class ExtendedFileUtility extends BasicFileUtility {
 		foreach ($this->getErrorMessages() as $msg) {
 			$flashMessage = GeneralUtility::makeInstance(
 				FlashMessage::class,
-				$msg,
+				htmlspecialchars($msg),
 				'',
 				FlashMessage::ERROR,
 				TRUE
-- 
GitLab