Merge pull request #537 from sebastian-meyer/fix-xss-issue

Fix XSS issue

Documentation/Settings.yml

@@ -11,7 +11,7 @@ conf.py:
   copyright: 2017
   project: Kitodo.Presentation
   version: 2.3
-  release: 2.3.0
+  release: 2.3.1
   intersphinx_mapping:
     t3tsref:
     - http://docs.typo3.org/typo3cms/TyposcriptReference/

ext_emconf.php

@@ -21,7 +21,7 @@
     'uploadfolder' => TRUE,
     'createDirs' => '',
     'clearCacheOnLoad' => FALSE,
-    'version' => '2.3.0',
+    'version' => '2.3.1',
     'constraints' => array (
         'depends' => array (
             'php' => '7.0.0-',

plugins/listview/class.tx_dlf_listview.php

@@ -365,7 +365,7 @@ protected function getSortingForm() {
 
             if ($piVar != 'order' && $piVar != 'DATA' && !empty($value)) {
 
-                $sorting .= '<input type="hidden" name="'.$this->prefixId.'['.$piVar.']" value="'.htmlspecialchars($value).'" />';
+                $sorting .= '<input type="hidden" name="'.$this->prefixId.'['.preg_replace('/[^A-Za-z0-9_-]/', '', $piVar).']" value="'.htmlspecialchars($value).'" />';
 
             }
 

plugins/navigation/class.tx_dlf_navigation.php

@@ -75,7 +75,7 @@ protected function getPageSelector() {
 
             if ($piVar != 'page' && $piVars != 'DATA' && !empty($value)) {
 
-                $output .= '<input type="hidden" name="'.$this->prefixId.'['.$piVar.']" value="'.htmlspecialchars($value).'" />';
+                $output .= '<input type="hidden" name="'.$this->prefixId.'['.preg_replace('/[^A-Za-z0-9_-]/', '', $piVar).']" value="'.htmlspecialchars($value).'" />';
 
             }