TYPO3 / Fluid

98%

master: 97%

LAST BUILD ON BRANCH 2.3

branch: 2.3

CHANGE BRANCH

x

Reset

• 2.3
• 2.0
• 2.0.5
• 2.0.6
• 2.0.7
• 2.0.8
• 2.1
• 2.1.4
• 2.1.5
• 2.1.6
• 2.1.7
• 2.2
• 2.2.1
• 2.2.2
• 2.2.3
• 2.2.4
• 2.3.5
• 2.3.6
• 2.3.7
• 2.4
• 2.4.1
• 2.4.2
• 2.5
• 2.5.10
• 2.5.11
• 2.5.5
• 2.5.6
• 2.5.7
• 2.5.8
• 2.5.9
• 2.6
• 2.6.0
• 2.6.1
• 2.6.10
• 2.6.2
• 2.6.3
• 2.6.4
• 2.6.5
• 2.6.6
• 2.6.7
• 2.6.8
• 2.6.9
• 2.7.0
• 2.7.1
• 3.0
• lolli-1
• lolli-2
• lolli-3
• lolli-4
• lolli-5
• main
• master

Build # 1432

Build Type

push

travis-ci

Committed by NamelessCoder

Commit Message

[SECURITY] Introduce selective argument escaping

Addresses three XSS vulnerabilities:

* The "then" and "else" arguments of condition ViewHelpers
  were not escaped. They are now escaped based on the
  escapeChildren toggle of the ViewHelper, which is ON by
  default in subclasses of AbstractConditionViewHelper.
* Content arguments in ViewHelpers which disable
  escapeOutput were not escaped, but values passed as
  child node were escaped. Both cases are now treated
  the same and escaping is based on escapeChildren state.
* TagBased ViewHelpers allowed attribute names containing
  HTML if passed in "additionalAttributes" which made XSS
  possible by crafting array keys with HTML. Attribute names
  are now subjected to the same escaping as attribute values.

Also fixes a couple of undesirable behaviors as well, e.g. avoids
double escaping of output in some combinations of escapeOutput=true
and quoted arguments.

# Conflicts:
#	src/Core/ViewHelper/AbstractConditionViewHelper.php

# Conflicts:
#	src/Core/ViewHelper/TagBuilder.php
#	tests/Unit/Core/Parser/TemplateParserTest.php

Run Details

2623 of 2663 relevant lines covered (98.5%)

157.26 hits per line