Fixed bug #16050: htmlArea RTE: Backspacing in empty editing area may raise js error
[Packages/TYPO3.CMS.git] / typo3 / wizard_tsconfig.php
index 819cbec..7063e5a 100644 (file)
@@ -2,7 +2,7 @@
 /***************************************************************
 *  Copyright notice
 *
-*  (c) 1999-2010 Kasper Skaarhoj (kasperYYYY@typo3.com)
+*  (c) 1999-2010 Kasper Skårhøj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
  * Wizard for inserting TSconfig in form fields. (page,user or TS)
  *
  * $Id$
- * Revised for TYPO3 3.6 November/2003 by Kasper Skaarhoj
+ * Revised for TYPO3 3.6 November/2003 by Kasper Skårhøj
  * XHTML compliant
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  */
 /**
  * [CLASS/FUNCTION INDEX of SCRIPT]
@@ -83,7 +83,7 @@ $LANG->includeLLFile('EXT:lang/locallang_wizards.xml');
 /**
  * TypoScript parser extension class.
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage core
  */
@@ -112,7 +112,7 @@ class ext_TSparser extends t3lib_tsparser_ext {
 /**
  * Script Class for rendering the TSconfig/TypoScript property browser.
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage core
  */
@@ -156,7 +156,9 @@ class SC_wizard_tsconfig {
                $this->objString = t3lib_div::_GP('objString');
                $this->onlyProperty = t3lib_div::_GP('onlyProperty');
                        // Preparing some JavaScript code:
-               if (!is_array($this->P['fieldChangeFunc']))     $this->P['fieldChangeFunc']=array();
+               if (!$this->areFieldChangeFunctionsValid()) {
+                       $this->P['fieldChangeFunc']=array();
+               }
                unset($this->P['fieldChangeFunc']['alert']);
                $update='';
                foreach($this->P['fieldChangeFunc'] as $k=>$v)  {
@@ -347,7 +349,7 @@ class SC_wizard_tsconfig {
 
                                // Title and description:
                        $out.='<a href="'.htmlspecialchars(t3lib_div::linkThisScript(array('show'=>''))).'" class="typo3-goBack">'.
-                                       t3lib_iconWorks::getSpriteIcon('actions-view-go-back') . 
+                                       t3lib_iconWorks::getSpriteIcon('actions-view-go-back') .
                                        htmlspecialchars($obj_string).
                                        '</a><br />';
                        if ($rec['title'])      $out.= '<strong>'.htmlspecialchars($rec['title']).': </strong>';
@@ -609,7 +611,7 @@ class SC_wizard_tsconfig {
                if(!$this->onlyProperty)        {
                        $aOnClick = 'document.editform.mixer.value=unescape(\'  '.rawurlencode($propertyName.'='.$propertyVal).'\')+\'\n\'+document.editform.mixer.value; return false;';
                        $out.= '<a href="#" onclick="'.htmlspecialchars($aOnClick).'">'.
-                                       t3lib_iconWorks::getSpriteIcon('actions-edit-add', array('title' => $GLOBALS['LANG']->getLL('tsprop_addToList', TRUE))) . 
+                                       t3lib_iconWorks::getSpriteIcon('actions-edit-add', array('title' => $GLOBALS['LANG']->getLL('tsprop_addToList', TRUE))) .
                        '</a>';
                        $propertyName = $prefix.'.'.$propertyName;
                }
@@ -621,6 +623,19 @@ class SC_wizard_tsconfig {
                        // Return link:
                return $out;
        }
+
+       /**
+        * Determines whether submitted field change functions are valid
+        * and are coming from the system and not from an external abuse.
+        *
+        * @return boolean Whether the submitted field change functions are valid
+        */
+       protected function areFieldChangeFunctionsValid() {
+               return (
+                       isset($this->P['fieldChangeFunc']) && is_array($this->P['fieldChangeFunc']) && isset($this->P['fieldChangeFuncHash'])
+                       && $this->P['fieldChangeFuncHash'] == t3lib_div::hmac(serialize($this->P['fieldChangeFunc']))
+               );
+       }
 }