[BUGFIX] Improve/escape output of HTML in key, message and extra_data fields

Francois Suter · Francois Suter · commit 95af0e8fc36e · 2016-11-15T08:39:02.000+01:00
Resolves #2. Change-Id: Iede72db43653c5b582a309a5b850f961fd7201e3
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,7 @@
+2016-11-15 Francois Suter <typo3@cobweb.ch>
+
+	* Improved escaping of HTML content in log entries, resolves #2
+
 2016-11-13 Francois Suter <typo3@cobweb.ch>
 
 	* Verified compatibility with TYPO3 v8 (8.5.-dev), resolves #78626
diff --git a/Classes/Domain/Repository/EntryRepository.php b/Classes/Domain/Repository/EntryRepository.php
@@ -378,6 +378,9 @@ protected function expandEntryData(array $entries)
         if ($numEntries > 0) {
             $users = $this->findAllUsers();
             for ($i = 0; $i < $numEntries; $i++) {
+                // Escape potentially malign data
+                $entries[$i]['key'] = htmlspecialchars($entries[$i]['key']);
+                $entries[$i]['message'] = htmlspecialchars($entries[$i]['message']);
                 // Grab username instead of id
                 $userId = (int)$entries[$i]['cruser_id'];
                 if ($userId > 0 && isset($users[$userId])) {
@@ -405,12 +408,12 @@ protected function expandEntryData(array $entries)
                     $entries[$i]['page'] = $pageTitle;
                     $pageInformationCache[$pid] = $pageTitle;
                 }
-                // Process extra data (uncompress and dump)
+                // Process extra data (uncompress, dump and escape)
                 if ($entries[$i]['extra_data'] === '') {
                     $extraData = '';
                 } else {
                     $extraData = gzuncompress($entries[$i]['extra_data']);
-                    $extraData = var_export(unserialize($extraData), true);
+                    $extraData = htmlspecialchars(var_export(unserialize($extraData), true));
                 }
                 $entries[$i]['extra_data'] = $extraData;
             }
diff --git a/Classes/Utility/Logger.php b/Classes/Utility/Logger.php
@@ -119,7 +119,7 @@ public function log($logData)
         $this->counter++;
         $entry->setCrdate(time());
         $entry->setMessage(
-                GeneralUtility::removeXSS($logData['msg'])
+                strip_tags($logData['msg'])
         );
         $entry->setExtkey(
                 strip_tags($logData['extKey'])
diff --git a/Classes/Utility/UserFields.php b/Classes/Utility/UserFields.php
@@ -90,7 +90,7 @@ public function displayExtraData($PA, $formObject)
                         $data,
                         true
                 );
-                $html = '<pre>' . $html . '</pre>';
+                $html = '<pre>' . htmlspecialchars($html) . '</pre>';
             } else {
                 $html = DebuggerUtility::var_dump(
                         $data,

-Original file line number
+Diff line change
@@ @@ -1,3 +1,7 @@ @@
 +2016-11-15 Francois Suter <[email protected]>
++
 +	* Improved escaping of HTML content in log entries, resolves #2
++
 -11-13 Francois Suter <[email protected]>
 	* Verified compatibility with TYPO3 v8 (8.5.-dev), resolves #78626