From ee5898d2719a9da8955eee2d99177cfe25b89620 Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Thu, 14 Dec 2023 12:20:48 +0100
Subject: [PATCH] [TASK] Sanitize embedded HTML in Installation-Wide
Configuration GUI
Input data is statically provided by EXT:core only, so there is no
security issue known right now. This change is a preparation to avoid
possible future security issues.
Resolves: #102676
Releases: main, 12.4, 11.5
Change-Id: I49a7fdd250e8ce74fdde07ad305cbae7e4af8ec3
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82252
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
---
.../Settings/LocalConfiguration/SubSection.html | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html b/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
index c83e05bb1a85..2a65889968a1 100644
--- a/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
+++ b/typo3/sysext/install/Resources/Private/Partials/Settings/LocalConfiguration/SubSection.html
@@ -42,7 +42,7 @@
<f:if condition="{f:count(subject: item.allowedValues)} || {item.dataType} == 'dropdown'">
<f:then>
<div class="form-group">
- <span class="help-block">{item.description -> f:format.raw()}</span>
+ <span class="help-block">{item.description -> f:sanitize.html()}</span>
<select data-path="{sectionName}/{item.key}" class="t3-install-form-input-text form-select t3js-localConfiguration-pathValue">
<f:for each="{item.allowedValues}" key="optionKey" as="optionLabel">
<option value="{optionKey}" {f:if(condition: '{item.value} == {optionKey}', then: 'selected="selected"')}>{optionLabel} ({optionKey})</option>
@@ -63,14 +63,14 @@
/>
<label class="form-check-label" for="{sectionName}_{item.key}">
<span class="form-check-label-text">
- {item.description -> f:format.raw()}
+ {item.description -> f:sanitize.html()}
</span>
</label>
</div>
</f:if>
<f:if condition="{item.type} == 'input'">
<div class="form-group">
- <span class="help-block">{item.description -> f:format.raw()}</span>
+ <span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="text"
value="{item.value}"
@@ -83,7 +83,7 @@
<f:if condition="{item.type} == 'password'">
<div class="form-group">
- <span class="help-block">{item.description -> f:format.raw()}</span>
+ <span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="password"
value="{item.value}"
@@ -96,7 +96,7 @@
<f:if condition="{item.type} == 'number'">
<div class="form-group">
- <span class="help-block">{item.description -> f:format.raw()}</span>
+ <span class="help-block">{item.description -> f:sanitize.html()}</span>
<input
type="number"
value="{item.value}"
@@ -108,7 +108,7 @@
</f:if>
<f:if condition="{item.type} == 'textarea'">
- <span class="help-block">{item.description -> f:format.raw()}</span>
+ <span class="help-block">{item.description -> f:sanitize.html()}</span>
<div class="form-group">
<textarea
rows="5"
--
GitLab