Skip to content
Commit ef368acb authored by Nicole Cordes's avatar Nicole Cordes Committed by Oliver Hader
Browse files

[SECURITY] Prevent XSS in SelectMultipleSideBySideElement 

In Javascript context the title attribute of a selected option is passed
as unescapd HTML argument to the function. Creating a new option tag
without title validation results in a XSS possibility. This patch removes
hardcoded attribute setting and uses jQuery function which take care
of proper escaping.

Resolves: #75164
Releases: master, 7.6, 6.2
Security-Commit: 1f0d09bfe5899fa189ee6bde102665956dc0f9b1
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I6445259a8608fa7a592b4574cb01c672ae1a4b93
Reviewed-on: https://review.typo3.org/47596


Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent e7ca5857
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment