[SECURITY] Encode all file properties in tx_cms_showpic output

Resolves: #103303 Releases: main, 13.1, 12.4, 11.5 Change-Id: I2842cefd5dfc0aff920e61b5fd16f029db8ada4c Security-Bulletin: TYPO3-CORE-SA-2024-009 Security-References: CVE-2024-34357 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84255 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · May 14, 2024 · 3764749 · 3764749
1 parent d0393a8
commit 3764749
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/typo3/sysext/frontend/Classes/Controller/ShowImageController.php b/typo3/sysext/frontend/Classes/Controller/ShowImageController.php
@@ -166,12 +166,12 @@ public function main()
             '###publicUrl###' => htmlspecialchars($processedImage->getPublicUrl() ?? ''),
             '###alt###' => htmlspecialchars($this->file->getProperty('alternative') ?: $this->title),
             '###title###' => htmlspecialchars($this->file->getProperty('title') ?: $this->title),
-            '###width###' => $processedImage->getProperty('width'),
-            '###height###' => $processedImage->getProperty('height'),
+            '###width###' => htmlspecialchars((string)$processedImage->getProperty('width')),
+            '###height###' => htmlspecialchars((string)$processedImage->getProperty('height')),
         ];
         $this->imageTag = str_replace(array_keys($imageTagMarkers), array_values($imageTagMarkers), $this->imageTag);
         $markerArray = [
-            '###TITLE###' => $this->file->getProperty('title') ?: $this->title,
+            '###TITLE###' => htmlspecialchars($this->file->getProperty('title') ?: $this->title),
             '###IMAGE###' => $this->imageTag,
             '###BODY###' => $this->bodyTag,
         ];