Skip to content
Snippets Groups Projects
Commit d0393a87 authored by Benjamin Franzke's avatar Benjamin Franzke Committed by Oliver Hader
Browse files

[SECURITY] Prevent XSS in FormManager backend module 

Encode non prepared output of BackendUtility::getRecordTitle.
The string returned by getRecordTitle is only HTML encoded if
the third parameter (`$prep`) is set to true, ensure that
non-prepared usages are encoded on render.

Resolves: #103782
Releases: main, 13.1, 12.4, 11.5
Change-Id: I96b9530d118a21163d6679ebf7120aa40c7ac7b6
Security-Bulletin: TYPO3-CORE-SA-2024-008
Security-References: CVE-2024-34356
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84254


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 87135783
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment