[SECURITY] Encode indexed search results in frontend rendering

ohader · ohader · commit 2e96dd0e9fab · 2026-06-09T10:57:51.000+02:00
Encodes user-submitted content before rendering search results in the frontend to mitigate cross-site scripting vulnerabilities. Resolves: #109695 Releases: main, 14.3, 13.4 Change-Id: Icdeb7e841ce503b79086e37743a7e196581bbb14 Security-Bulletin: TYPO3-CORE-SA-2026-010 Security-References: CVE-2026-47348 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94407 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/indexed_search/Classes/Controller/SearchController.php b/typo3/sysext/indexed_search/Classes/Controller/SearchController.php
@@ -399,14 +399,15 @@ protected function compileSingleResultRow(array $searchData, array $row, int $he
         }
         $title = $resultData['item_title'] . ($resultData['titleaddition'] ?? '');
         $title = GeneralUtility::fixed_lgd_cs($title, (int)$this->settings['results.']['titleCropAfter'], $this->settings['results.']['titleCropSignifier']);
+        $title = htmlspecialchars($title);
         // If external media, link to the media-file instead.
         if ($row['item_type']) {
             if ($row['show_resume']) {
                 $targetAttribute = '';
                 if ($typoScriptConfigArray['fileTarget'] ?? false) {
                     $targetAttribute = ' target="' . htmlspecialchars($typoScriptConfigArray['fileTarget']) . '"';
                 }
-                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . htmlspecialchars($title) . '</a>';
+                $title = '<a href="' . htmlspecialchars($row['data_filename']) . '"' . $targetAttribute . '>' . $title . '</a>';
             } else {
                 // Suspicious, so linking to page instead...
                 $copiedRow = $row;
