TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components)

Categories: Development, Security Created by Torben Hansen
It has been discovered that the extension "Fluid Components" (fluid_components) is susceptible to Cross-Site Scripting.

Problem Description

The extension  is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation.

Solution

Updated versions 3.5.0 are available from the TYPO3 extension manager, packagist and at
https://extensions.typo3.org/extension/download/fluid_components/3.5.0/zip
Users of the extension are advised to update the extension as soon as possible.

Breaking change - Manual actions required

The fixed version of the extension introduces the new SlotViewHelper, which must be used to safely render HTML markup that was passed to a component as an argument. Please refer to the extension documentation for further details.

The fixed version of the extension comes with the new symfony console command fluidcomponents:checkContentEscaping, which checks for possible escaping issues with content parameter due to new children escaping behavior. Please make sure to check your project’s template files with this console command to prevent unwanted escaping of HTML markup.

Credits

Thanks to Helmut Hummel for reporting the vulnerability and to Simon Praetorius for providing updated versions of the extension.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.