From ab479dd576f014e877280c8c4db95cabfb89e35f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20E=C3=9Fl?= <indy.essl@gmail.com>
Date: Mon, 18 May 2020 09:51:37 +0200
Subject: [PATCH] [BUGFIX] Correctly double and single quotes in page tree
 tooltips

There were several problems with tooltips in the page tree:

- htmlspecialchars was applied twice to the tooltip string. Once in
BackendUtility::titleAttribForPages, once in TreeController.
- When applying double or single quotes to a page title, the tooltips in
the page tree would show these as html entities.

Double and single quotes are now allowed, while any potential html tags
in the title will be stripped from the tooltip. Any of those characters
(", ', <, >) left in the tooltip are later escaped to unicode in the
json view.

Resolves: #91424
Releases: master
Change-Id: I53b2ad6bbd4e4131535eb573422a8cbd5d002858
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64511
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../backend/Classes/Controller/Page/TreeController.php       | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
index 7b5a979002e3..076244f23615 100644
--- a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
+++ b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
@@ -337,6 +337,8 @@ class TreeController
      * Converts nested tree structure produced by PageTreeRepository to a flat, one level array
      * and also adds visual representation information to the data.
      *
+     * The result is intended to be used as JSON result - dumping data directly to HTML might lead to XSS!
+     *
      * @param array $page
      * @param int $entryPoint
      * @param int $depth
@@ -401,7 +403,8 @@ class TreeController
             // identifier is not only used for pages, therefore it's a string
             'identifier' => (string)$pageId,
             'depth' => $depth,
-            'tip' => htmlspecialchars($tooltip),
+            // fine in JSON - if used in HTML directly, e.g. quotes can be used for XSS
+            'tip' => strip_tags(htmlspecialchars_decode($tooltip)),
             'icon' => $icon->getIdentifier(),
             'name' => $visibleText,
             'type' => (int)($page['doktype'] ?? 0),
-- 
GitLab