From d06331e805eb3880efac55bdc27b5cfa1579ec46 Mon Sep 17 00:00:00 2001
From: Helmut Hummel <typo3@helhum.io>
Date: Fri, 9 Mar 2018 22:14:09 +0100
Subject: [PATCH] [BUGFIX] Properly HTML encode site name in page module

Resolves: #84191
Releases: master, 8.7, 7.6
Change-Id: Id0f2da6f77b3c01293478329503dc922ccd7e72c
Reviewed-on: https://review.typo3.org/56087
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
---
 .../sysext/backend/Classes/Controller/PageLayoutController.php  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/backend/Classes/Controller/PageLayoutController.php b/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
index 0188221a2f1d..e356a54e264a 100644
--- a/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
+++ b/typo3/sysext/backend/Classes/Controller/PageLayoutController.php
@@ -674,7 +674,7 @@ class PageLayoutController
                 'mainJsFunctions',
                 'if (top.fsMod) top.fsMod.recentIds["web"] = ' . (int)$this->id . ';'
             );
-            $content .= '<h1>' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '</h1>';
+            $content .= '<h1>' . htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']) . '</h1>';
             $view = GeneralUtility::makeInstance(StandaloneView::class);
             $view->setTemplatePathAndFilename(GeneralUtility::getFileAbsFileName('EXT:backend/Resources/Private/Templates/InfoBox.html'));
             $view->assignMultiple([
-- 
GitLab