From e971b012c837f1e64c1498b567ef6eec304febe5 Mon Sep 17 00:00:00 2001
From: Frank Naegler <frank.naegler@typo3.org>
Date: Tue, 17 Dec 2019 10:52:02 +0100
Subject: [PATCH] [SECURITY] Prevent XSS in EXT:form error message output

Resolves: #88629
Releases: master, 9.5, 8.7
Security-Commit: e179b6dd34bb47f2af28c58c19a14f46ae8f9f52
Security-Bulletin: TYPO3-CORE-SA-2019-021
Change-Id: Ifd513f543f9be44285322136f89992c00be0fbcd
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62709
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../form/Resources/Private/Frontend/Partials/Field/Field.html   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html b/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html
index a732424712ff..4f756d26b37c 100644
--- a/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html
+++ b/typo3/sysext/form/Resources/Private/Frontend/Partials/Field/Field.html
@@ -10,7 +10,7 @@
                 <f:if condition="{validationResults.flattenedErrors}">
                     <span class="error help-block" role="alert">
                         <f:for each="{validationResults.errors}" as="error">
-                            {formvh:translateElementError(element: element, error: error)}
+                            <f:format.htmlspecialchars>{formvh:translateElementError(element: element, error: error)}</f:format.htmlspecialchars>
                             <br />
                         </f:for>
                     </span>