From a75a8b62b936bb5425f984817c1b60ab7ecda489 Mon Sep 17 00:00:00 2001
From: Susanne Moog <susanne.moog@typo3.com>
Date: Wed, 8 Nov 2017 15:30:11 +0100
Subject: [PATCH] [BUGFIX] Properly encode text in JS in install tool

Several times the install tool was using html()
instead of text(). Use text() whenever possible.

Resolves: #82949
Releases: master
Change-Id: I9a199d33f233a3b6c6b82965d4bc169999a3452a
Reviewed-on: https://review.typo3.org/54586
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Michael Oehlhof <typo3@oehlhof.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
---
 .../Resources/Public/JavaScript/Modules/CoreUpdate.js     | 2 +-
 .../Public/JavaScript/Modules/DatabaseAnalyzer.js         | 6 +++---
 .../Public/JavaScript/Modules/ExtensionScanner.js         | 8 ++++----
 .../Resources/Public/JavaScript/Modules/FlashMessage.js   | 4 ++--
 .../Resources/Public/JavaScript/Modules/InfoBox.js        | 4 ++--
 .../Resources/Public/JavaScript/Modules/ProgressBar.js    | 2 +-
 .../Resources/Public/JavaScript/Modules/UpgradeWizards.js | 4 ++--
 7 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/CoreUpdate.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/CoreUpdate.js
index ec59a51d91d8..d08bd43e1967 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/CoreUpdate.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/CoreUpdate.js
@@ -244,7 +244,7 @@ define([
 				domButton.find('button').data('action', action);
 			}
 			if (title) {
-				domButton.find('button').html(title);
+				domButton.find('button').text(title);
 			}
 			$(this.selectorOutput).append(domButton);
 		},
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/DatabaseAnalyzer.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/DatabaseAnalyzer.js
index 599d0e12ed5a..9b8dd870bfe2 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/DatabaseAnalyzer.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/DatabaseAnalyzer.js
@@ -102,13 +102,13 @@ define([
 										aLine.find('.t3js-databaseAnalyzer-suggestion-line-checkbox').attr('checked', 'checked');
 									}
 									aLine.find('.t3js-databaseAnalyzer-suggestion-line-label').attr('for', 't3-install-db-' + hash);
-									aLine.find('.t3js-databaseAnalyzer-suggestion-line-statement').html(line.statement);
+									aLine.find('.t3js-databaseAnalyzer-suggestion-line-statement').text(line.statement);
 									if (line.current !== undefined) {
-										aLine.find('.t3js-databaseAnalyzer-suggestion-line-current-value').html(line.current);
+										aLine.find('.t3js-databaseAnalyzer-suggestion-line-current-value').text(line.current);
 										aLine.find('.t3js-databaseAnalyzer-suggestion-line-current').show();
 									}
 									if (line.rowCount !== undefined) {
-										aLine.find('.t3js-databaseAnalyzer-suggestion-line-count-value').html(line.rowCount);
+										aLine.find('.t3js-databaseAnalyzer-suggestion-line-count-value').text(line.rowCount);
 										aLine.find('.t3js-databaseAnalyzer-suggestion-line-count').show();
 									}
 									aBlock.find('.t3js-databaseAnalyzer-suggestion-block-line').append(aLine);
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/ExtensionScanner.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/ExtensionScanner.js
index bb2f4eb2db1d..55d81c2a24cc 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/ExtensionScanner.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/ExtensionScanner.js
@@ -219,8 +219,8 @@ define(['jquery',
 												var aMatch = $(hitTemplate).clone();
 												aMatch.find('.t3js-extensionScanner-hit-file-panel-head').attr('href', '#collapse' + match.uniqueId);
 												aMatch.find('.t3js-extensionScanner-hit-file-panel-body').attr('id', 'collapse' + match.uniqueId);
-												aMatch.find('.t3js-extensionScanner-hit-filename').html(file);
-												aMatch.find('.t3js-extensionScanner-hit-message').html(match.message);
+												aMatch.find('.t3js-extensionScanner-hit-filename').text(file);
+												aMatch.find('.t3js-extensionScanner-hit-message').text(match.message);
 												if (match.indicator === 'strong') {
 													aMatch.find('.t3js-extensionScanner-hit-file-panel-head .badges')
 														.append('<span class="badge" title="Reliable match, false positive unlikely">strong</span>');
@@ -241,8 +241,8 @@ define(['jquery',
 														aRest.find('.t3js-extensionScanner-hit-rest-panel-head').attr('href', '#collapse' + restFile.uniqueId);
 														aRest.find('.t3js-extensionScanner-hit-rest-panel-head .badge').empty().text(restFile.version);
 														aRest.find('.t3js-extensionScanner-hit-rest-panel-body').attr('id', 'collapse' + restFile.uniqueId);
-														aRest.find('.t3js-extensionScanner-hit-rest-headline').html(restFile.headline);
-														aRest.find('.t3js-extensionScanner-hit-rest-body').html(restFile.content);
+														aRest.find('.t3js-extensionScanner-hit-rest-headline').text(restFile.headline);
+														aRest.find('.t3js-extensionScanner-hit-rest-body').text(restFile.content);
 														aRest.addClass('panel-' + restFile.class);
 														aMatch.find('.t3js-extensionScanner-hit-file-rest-container').append(aRest);
 														self.listOfAffectedRestFileHashes.push(restFile.file_hash);
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/FlashMessage.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/FlashMessage.js
index 333ec335ce4a..8554df58846c 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/FlashMessage.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/FlashMessage.js
@@ -35,10 +35,10 @@ define(['jquery', 'TYPO3/CMS/Install/Severity'], function ($, Severity) {
 		var flashMessage = this.template.clone();
 		flashMessage.addClass('alert-' + Severity.getCssClass(severity));
 		if (title) {
-			flashMessage.find('h4').html(title);
+			flashMessage.find('h4').text(title);
 		}
 		if (message) {
-			flashMessage.find('.messageText').html(message);
+			flashMessage.find('.messageText').text(message);
 		} else {
 			flashMessage.find('.messageText').remove();
 		}
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/InfoBox.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/InfoBox.js
index 30d4562e5fed..292781333519 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/InfoBox.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/InfoBox.js
@@ -35,10 +35,10 @@ define(['jquery', 'TYPO3/CMS/Install/Severity'], function ($, Severity) {
 		var infoBox = this.template.clone();
 		infoBox.addClass('callout-' + Severity.getCssClass(severity));
 		if (title) {
-			infoBox.find('h4').html(title);
+			infoBox.find('h4').text(title);
 		}
 		if (message) {
-			infoBox.find('.callout-body').html(message);
+			infoBox.find('.callout-body').text(message);
 		} else {
 			infoBox.find('.callout-body').remove();
 		}
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/ProgressBar.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/ProgressBar.js
index 77425f3cdc62..b44effa2ffe5 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/ProgressBar.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/ProgressBar.js
@@ -39,7 +39,7 @@ define(['jquery', 'TYPO3/CMS/Install/Severity'], function ($, Severity) {
 			progressBar.attr('aria-valuenow',progresss);
 		}
 		if (title) {
-			progressBar.find('.sr-only').html(title);
+			progressBar.find('.sr-only').text(title);
 		}
 		return progressBar;
 	};
diff --git a/typo3/sysext/install/Resources/Public/JavaScript/Modules/UpgradeWizards.js b/typo3/sysext/install/Resources/Public/JavaScript/Modules/UpgradeWizards.js
index ab0d4e2ebe1f..73f19e12ff4e 100644
--- a/typo3/sysext/install/Resources/Public/JavaScript/Modules/UpgradeWizards.js
+++ b/typo3/sysext/install/Resources/Public/JavaScript/Modules/UpgradeWizards.js
@@ -273,7 +273,7 @@ function($, Router, FlashMessage, ProgressBar, InfoBox, Severity) {
 									numberOfWizardsTodo = numberOfWizardsTodo +1;
 									aRow.removeClass('t3js-upgradeWizards-list-row-template');
 									aRow.find(self.selectorWizardsListRowTitle).empty().text(element.title);
-									aRow.find(self.selectorWizardsListRowExplanation).empty().html(element.explanation);
+									aRow.find(self.selectorWizardsListRowExplanation).empty().text(element.explanation);
 									aRow.find(self.selectorWizardsListRowExecute).data('identifier', element.identifier);
 									list.find(self.selectorWizardsListRows).append(aRow);
 								}
@@ -419,7 +419,7 @@ function($, Router, FlashMessage, ProgressBar, InfoBox, Severity) {
 								hasBodyContent = true;
 								var aRow = $(rowTemplate).clone();
 								aRow.find(self.selectorWizardsDoneRowMarkUndone).data('identifier', element.identifier);
-								aRow.find(self.selectorWizardsDoneRowTitle).html(element.title);
+								aRow.find(self.selectorWizardsDoneRowTitle).text(element.title);
 								$wizardsDoneContainer.append(aRow);
 							});
 						}
-- 
GitLab