From 7339543a0f703221b5477c47dd2514c325b23d6b Mon Sep 17 00:00:00 2001
From: Markus Klein <markus.klein@typo3.org>
Date: Tue, 12 May 2020 11:29:09 +0200
Subject: [PATCH] [SECURITY] Escape shortened placeholder text in HTML output

Prevent XSS by escaping the shortened placeholder text for various
Backend form elements properly.

Resolves: #90817
Releases: master, 9.5
Change-Id: I58f61b2d3d902dd3cb07e97acf974156f100a8aa
Security-Bulletin: TYPO3-CORE-SA-2020-002
Security-References: CVE-2020-11064
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64471
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../backend/Classes/Form/Element/InputColorPickerElement.php    | 2 +-
 .../backend/Classes/Form/Element/InputDateTimeElement.php       | 2 +-
 typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php  | 2 +-
 typo3/sysext/backend/Classes/Form/Element/InputTextElement.php  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Form/Element/InputColorPickerElement.php b/typo3/sysext/backend/Classes/Form/Element/InputColorPickerElement.php
index d47603f5c1e6..c46f782e5d96 100644
--- a/typo3/sysext/backend/Classes/Form/Element/InputColorPickerElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/InputColorPickerElement.php
@@ -245,7 +245,7 @@ class InputColorPickerElement extends AbstractFormElement
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
             $fullElement[] =    '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
-            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
+            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
             $fullElement[] =    '</div>';
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
diff --git a/typo3/sysext/backend/Classes/Form/Element/InputDateTimeElement.php b/typo3/sysext/backend/Classes/Form/Element/InputDateTimeElement.php
index 1cac993f3361..c1a97c41dc97 100644
--- a/typo3/sysext/backend/Classes/Form/Element/InputDateTimeElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/InputDateTimeElement.php
@@ -268,7 +268,7 @@ class InputDateTimeElement extends AbstractFormElement
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
             $fullElement[] =    '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
-            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
+            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
             $fullElement[] =    '</div>';
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
diff --git a/typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php b/typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php
index 7b4c1ad02d06..a36b379b1cce 100644
--- a/typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/InputLinkElement.php
@@ -296,7 +296,7 @@ class InputLinkElement extends AbstractFormElement
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
             $fullElement[] =    '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
-            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
+            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
             $fullElement[] =    '</div>';
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
diff --git a/typo3/sysext/backend/Classes/Form/Element/InputTextElement.php b/typo3/sysext/backend/Classes/Form/Element/InputTextElement.php
index 4675a9ec3d2c..45d249c2297b 100644
--- a/typo3/sysext/backend/Classes/Form/Element/InputTextElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/InputTextElement.php
@@ -327,7 +327,7 @@ class InputTextElement extends AbstractFormElement
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-placeholder">';
             $fullElement[] =    '<div class="form-control-wrap" style="max-width:' . $width . 'px">';
-            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . $shortenedPlaceholder . '" />';
+            $fullElement[] =        '<input type="text" class="form-control" disabled="disabled" value="' . htmlspecialchars($shortenedPlaceholder) . '" />';
             $fullElement[] =    '</div>';
             $fullElement[] = '</div>';
             $fullElement[] = '<div class="t3js-formengine-placeholder-formfield">';
-- 
GitLab