[TASK] Cleanup escaping in EXT:t3editor

Change-Id: Iadee8c9258f7dd267c25f58138ae012c93300a9e Resolves: #71756 Releases: master Reviewed-on: https://review.typo3.org/44859 Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Markus Klein <markus.klein@typo3.org> Tested-by: Markus Klein <markus.klein@typo3.org>

[TASK] Cleanup escaping in EXT:t3editor
Change-Id: Iadee8c9258f7dd267c25f58138ae012c93300a9e Resolves: #71756 Releases: master Reviewed-on: https://review.typo3.org/44859 Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Markus Klein <markus.klein@typo3.org> Tested-by: Markus Klein <markus.klein@typo3.org>
8430a661 · Stefan Neufeind · Markus Klein · 97b97783 · 8430a661 · 8430a661
Commit 8430a661 authored 9 years ago by Stefan Neufeind Committed by Markus Klein 9 years ago
--- a/typo3/sysext/t3editor/Classes/Hook/FileEditHook.php
+++ b/typo3/sysext/t3editor/Classes/Hook/FileEditHook.php
@@ -91,7 +91,7 @@ class FileEditHook
        if (!$t3editor->getMode()) {
            return;
        }
-        $attributes = 'rows="30" ' . 'wrap="off" ' . $pObj->doc->formWidth(48, true, 'width:98%;height:60%');
+        $attributes = 'rows="30" ' . 'wrap="off"' . $pObj->doc->formWidth(48, true, 'width:98%;height:60%');
        $title = $GLOBALS['LANG']->getLL('file') . ' ' . htmlspecialchars($pObj->target);
        $outCode = $t3editor->getCodeEditor('file[editfile][0][data]', 'text-monospace enable-tab', '$1', $attributes, $title, array(
            'target' => (int)$pObj->target

--- a/typo3/sysext/t3editor/Classes/Hook/TypoScriptTemplateInfoHook.php
+++ b/typo3/sysext/t3editor/Classes/Hook/TypoScriptTemplateInfoHook.php
@@ -71,8 +71,8 @@ class TypoScriptTemplateInfoHook
        $t3editor->getJavascriptCode();
        foreach (array('constants', 'config') as $type) {
            if ($parameters['e'][$type]) {
-                $attributes = 'rows="' . $parameters['numberOfRows'] . '" ' . 'wrap="off" ' . $pObj->pObj->doc->formWidth(48, true, 'width:98%;height:60%');
-                $title = $GLOBALS['LANG']->getLL('template') . ' ' . htmlspecialchars($parameters['tplRow']['title']) . $GLOBALS['LANG']->getLL('delimiter') . ' ' . $GLOBALS['LANG']->getLL($type);
+                $attributes = 'rows="' . (int)$parameters['numberOfRows'] . '" wrap="off"' . $pObj->pObj->doc->formWidth(48, true, 'width:98%;height:60%');
+                $title = $GLOBALS['LANG']->getLL('template') . ' ' . $parameters['tplRow']['title'] . $GLOBALS['LANG']->getLL('delimiter') . ' ' . $GLOBALS['LANG']->getLL($type);
                $outCode = $t3editor->getCodeEditor('data[' . $type . ']', 'text-monospace enable-tab', '$1', $attributes, $title, array(
                    'pageId' => (int)$pObj->pObj->id
                ));

--- a/typo3/sysext/t3editor/Classes/T3editor.php
+++ b/typo3/sysext/t3editor/Classes/T3editor.php
@@ -306,23 +306,20 @@ class T3editor implements \TYPO3\CMS\Core\SingletonInterface
    {
        $code = '';
        $class .= ' t3editor';
-        $alt = htmlspecialchars($alt);
-        if (!empty($alt)) {
-            $alt = ' alt="' . $alt . '"';
-        }
+        $alt = trim($alt);
        $code .=
            '<div class="t3editor">'
                . '<div class="t3e_wrap">'
                    . $this->getPreparedTemplate()
                . '</div>'
                . '<textarea '
-                    . 'id="t3editor_' . $this->editorCounter . '" '
-                    . 'name="' . $name . '" '
-                    . 'class="' . $class . '" '
+                    . 'id="t3editor_' . (int)$this->editorCounter . '" '
+                    . 'name="' . htmlspecialchars($name) . '" '
+                    . 'class="' . htmlspecialchars($class) . '" '
                    . $additionalParams . ' '
-                    . $alt
+                    . ($alt !== '' ? ' alt="' . htmlspecialchars($alt) . '"' : '')
                    . ' data-labels="' . htmlspecialchars(json_encode($GLOBALS['LANG']->getLabelsWithPrefix('js.', 'label_'))) . '"'
-                    . ' data-instance-number="' . $this->editorCounter . '"'
+                    . ' data-instance-number="' . (int)$this->editorCounter . '"'
                    . ' data-editor-path="' . htmlspecialchars($this->relExtPath) . '"'
                    . ' data-codemirror-path="' . htmlspecialchars($this->codemirrorPath) . '"'
                    . ' data-ajaxsavetype="' . htmlspecialchars($this->ajaxSaveType) . '"'
@@ -333,7 +330,7 @@ class T3editor implements \TYPO3\CMS\Core\SingletonInterface
            . '</div>';
        if (!empty($hiddenfields)) {
            foreach ($hiddenfields as $name => $value) {
-                $code .= '<input type="hidden" ' . 'name="' . $name . '" ' . 'value="' . $value . '" />';
+                $code .= '<input type="hidden" ' . 'name="' . htmlspecialchars($name) . '" ' . 'value="' . htmlspecialchars($value) . '" />';
            }
        }
        $this->editorCounter++;