[SECURITY] please update ASAP

Escaped inputed values before saving to Database and before using in TYPO3-Backend

Classes/Domain/Finishers/SaveFormToDatabaseFinisher.php

@@ -129,10 +129,10 @@ protected function getFormValues(): array
  foreach ($page->getElementsRecursively() as $pageElem) {
  if ($pageElem->getType() !== 'Honeypot') {
  if($pageElem->getType() !== 'FileUpload' && $pageElem->getType() !== 'ImageUpload'){
- $values[$pageElem->getIdentifier()]['value'] = $valuesWithPages[$pageElem->getIdentifier()];
+ $values[$pageElem->getIdentifier()]['value'] = htmlspecialchars($valuesWithPages[$pageElem->getIdentifier()]);
  }else{
  if($valuesWithPages[$pageElem->getIdentifier()]){
- $values[$pageElem->getIdentifier()]['value'] = $valuesWithPages[$pageElem->getIdentifier()]->getOriginalResource()->getName();
+ $values[$pageElem->getIdentifier()]['value'] = htmlspecialchars($valuesWithPages[$pageElem->getIdentifier()]->getOriginalResource()->getName());
  }
  }
  $values[$pageElem->getIdentifier()]['conf']['label'] = $pageElem->getLabel();

Classes/Form/FormAnswersJsonElement.php

@@ -19,9 +19,9 @@ public function render()
  if (is_array($fieldValues)) {
  foreach ($fieldValues as $fieldKey => $fieldValue) {
  if ($fieldValue['conf']['label']) {
- $out .= '<li>'.$fieldValue['conf']['label'].' - '.(is_array($fieldValue['value']) ? implode(",", $fieldValue['value']) : $fieldValue['value']).'</li>';
+ $out .= '<li>'.$fieldValue['conf']['label'].' - '.(is_array($fieldValue['value']) ? implode(",", htmlspecialchars($fieldValue['value'])) : htmlspecialchars($fieldValue['value'])).'</li>';
  } else {
- $out .= '<li>'.$fieldKey.' - '.(is_array($fieldValue['value']) ? implode(",", $fieldValue['value']) : $fieldValue['value']).'</li>';
+ $out .= '<li>'.$fieldKey.' - '.(is_array($fieldValue['value']) ? implode(",", htmlspecialchars($fieldValue['value'])) : htmlspecialchars($fieldValue['value'])).'</li>';
  }
  }
  }

Resources/Private/Backend/Partials/FormEntry/Properties.html

@@ -9,7 +9,7 @@
  key="LLL:EXT:frp_form_answers/Resources/Private/Language/locallang_be.xlf:tx_frpformanswers_domain_model_formentry.answers"/>
  </td>
  <td>
- {formEntry.answers}
+ <f:format.htmlspecialchars>{formEntry.answers}</f:format.htmlspecialchars>
  </td>
  </tr>
  <tr>
@@ -18,7 +18,7 @@
  key="LLL:EXT:frp_form_answers/Resources/Private/Language/locallang_be.xlf:tx_frpformanswers_domain_model_formentry.field_hash"/>
  </td>
  <td>
- {formEntry.fieldHash}
+ <f:format.htmlspecialchars>{formEntry.fieldHash}</f:format.htmlspecialchars>
  </td>
  </tr>
  <tr>
@@ -27,7 +27,7 @@
  key="LLL:EXT:frp_form_answers/Resources/Private/Language/locallang_be.xlf:tx_frpformanswers_domain_model_formentry.form"/>
  </td>
  <td>
- {formEntry.form}
+ <f:format.htmlspecialchars>{formEntry.form}</f:format.htmlspecialchars>
  </td>
  </tr>
  <tr>
@@ -36,7 +36,7 @@
  key="LLL:EXT:frp_form_answers/Resources/Private/Language/locallang_be.xlf:tx_frpformanswers_domain_model_formentry.exported"/>
  </td>
  <td>
- {formEntry.exported}
+ <f:format.htmlspecialchars>{formEntry.exported}</f:format.htmlspecialchars>
  </td>
  </tr>
 </table>

Resources/Private/CommandTask/Partials/FormEntries/InMail.html

@@ -16,8 +16,8 @@
  <f:format.date format="d.m.Y H:i">{mailItem.crdate}</f:format.date>
  <br>
  Form name: {mailItem.form}<br>
- From: {mailItem.answers.name.value} - {mailItem.answers.email.value}<br>
- Message: {mailItem.answers.message.value}<br>
+ From: <f:format.htmlspecialchars>{mailItem.answers.name.value} - {mailItem.answers.email.value}</f:format.htmlspecialchars><br>
+ Message: <f:format.htmlspecialchars>{mailItem.answers.message.value}</f:format.htmlspecialchars><br>
  <br>
  </f:for>