Fixed bug #13137: redirect/returnUrl isn't validated in core (thanks to Georg Ringer...
[Packages/TYPO3.CMS.git] / typo3 / template.php
index 02ea493..f191579 100644 (file)
@@ -372,12 +372,12 @@ class template {
                global $BE_USER;
                $str = '';
                        // If access to Web>List for user, then link to that module.
-               if ($BE_USER->check('modules','web_list'))      {
-                       $href=$backPath.'db_list.php?id='.$id.'&returnUrl='.rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI'));
-                       $str.= '<a href="'.htmlspecialchars($href).'">'.
-                                       '<img'.t3lib_iconWorks::skinImg($backPath,'gfx/list.gif','width="11" height="11"').' title="'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:labels.showList',1).'"'.($addParams?' '.trim($addParams):'').' alt="" />'.
-                                       '</a>';
-               }
+               $str .= t3lib_extMgm::createListViewLink(
+                       $id,
+                       '&returnUrl=' . rawurlencode(t3lib_div::getIndpEnv('REQUEST_URI')),
+                       $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:labels.showList', TRUE)
+               );
+
                        // Make link to view page
                $str.= '<a href="#" onclick="'.htmlspecialchars(t3lib_BEfunc::viewOnClick($id,$backPath,t3lib_BEfunc::BEgetRootLine($id))).'">'.
                                '<img'.t3lib_iconWorks::skinImg($backPath,'gfx/zoom.gif','width="12" height="12"').' title="'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:labels.showPage',1).'"'.($addParams?' '.trim($addParams):"").' hspace="3" alt="" />'.
@@ -449,7 +449,7 @@ class template {
        function getHeader($table,$row,$path,$noViewPageIcon=0,$tWrap=array('',''))     {
                global $TCA;
                if (is_array($row) && $row['uid'])      {
-                       $iconImgTag=t3lib_iconWorks::getIconImage($table,$row,$this->backPath,'title="'.htmlspecialchars($path).'"');
+                       $iconImgTag=t3lib_iconWorks::getSpriteIconForRecord($table, $row , array('title' => htmlspecialchars($path)));
                        $title= strip_tags($row[$TCA[$table]['ctrl']['label']]);
                        $viewPage = $noViewPageIcon ? '' : $this->viewPageIcon($row['uid'],$this->backPath,'');
                        if ($table=='pages')    $path.=' - '.t3lib_BEfunc::titleAttribForPages($row,'',0);
@@ -598,7 +598,7 @@ class template {
                ));
 
                $out ="
-       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::_GP('returnUrl')))."';
+       var T3_RETURN_URL = '".str_replace('%20','',rawurlencode(t3lib_div::sanitizeLocalUrl(t3lib_div::_GP('returnUrl'))))."';
        var T3_THIS_LOCATION = '".str_replace('%20','',rawurlencode($thisLocation))."';
                ";
                return $out;
@@ -1348,7 +1348,7 @@ $str.=$this->docBodyTagBegin().
                )
        );
        var $table_TR = '<tr>';
-       var $table_TABLE = '<table border="0" cellspacing="0" cellpadding="0" id="typo3-tmpltable">';
+       var $table_TABLE = '<table border="0" cellspacing="0" cellpadding="0" class="typo3-dblist" id="typo3-tmpltable">';
 
        /**
         * Returns a table based on the input $data
@@ -1603,7 +1603,6 @@ $str.=$this->docBodyTagBegin().
                        $widthAct = $widthNo + $addToAct;
                        $widthRight = 100 - ($widthLeft + ($count*$widthNo) + $addToAct);
 
-                       $first=true;
                        foreach($menuItems as $id => $def) {
                                $isActive = $def['isActive'];
                                $class = $isActive ? 'tabact' : 'tab';
@@ -1614,14 +1613,7 @@ $str.=$this->docBodyTagBegin().
                                $url = htmlspecialchars($def['url']);
                                $params = $def['addParams'];
 
-                               if($first) {
-                                       $options.= '
-                                                       <td width="'.$width.'%" class="'.$class.'" style="border-left: solid #000 1px;"><a href="'.$url.'" style="padding-left:5px;padding-right:2px;" '.$params.'>'.$label.'</a></td>';
-                               } else {
-                                       $options.='
-                                                       <td width="'.$width.'%" class="'.$class.'"><a href="'.$url.'" '.$params.'>'.$label.'</a></td>';
-                               }
-                               $first=false;
+                               $options .= '<td width="' . $width . '%" class="' . $class . '"><a href="' . $url . '" ' . $params . '>' . $label . '</a></td>';
                        }
 
                        if ($options)   {
@@ -1833,29 +1825,42 @@ $str.=$this->docBodyTagBegin().
 
                                        // If more than one was found...:
                                if (count($versions)>1) {
+                                       $selectorLabel = '<strong>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionSelect.label', TRUE) . '</strong>';
 
                                                // Create selector box entries:
                                        $opt = array();
                                        foreach($versions as $vRow)     {
-                                               $opt[] = '<option value="'.htmlspecialchars(t3lib_div::linkThisScript(array('id'=>$vRow['uid']))).'"'.($id==$vRow['uid']?' selected="selected"':'').'>'.
-                                                               htmlspecialchars($vRow['t3ver_label'].' [v#'.$vRow['t3ver_id'].', WS:'.$vRow['t3ver_wsid'].']'.($vRow['uid']==$onlineId ? ' =>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.online').'<=':'')).
-                                                               '</option>';
+                                               if ($vRow['uid'] == $onlineId) {
+                                                               //Live version
+                                                       $label = '[' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionSelect.live', TRUE) . ']';
+                                               } else {
+                                                       $label = $vRow['t3ver_label'] . ' (' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionId', TRUE) . ' ' . $vRow['t3ver_id'] .
+                                                               ($vRow['t3ver_wsid'] != 0 ? ' ' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:workspaceId', TRUE) . ' ' . $vRow['t3ver_wsid'] : '') . ')';
+                                               }
+
+                                               $opt[] = '<option value="' . htmlspecialchars(t3lib_div::linkThisScript(array('id' => $vRow['uid']))) . '"' .
+                                                       ($id == $vRow['uid'] ? ' selected="selected"' : '') . '>' .
+                                                       htmlspecialchars($label) . '</option>';
                                        }
 
                                                // Add management link:
-                                       $opt[] = '<option value="'.htmlspecialchars(t3lib_div::linkThisScript(array('id'=>$id))).'">---</option>';
-                                       $opt[] = '<option value="'.htmlspecialchars($this->backPath.t3lib_extMgm::extRelPath('version').'cm1/index.php?table=pages&uid='.$onlineId).'">'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.mgm',1).'</option>';
-
+                                       $management = '<input type="button" value="' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.mgm', TRUE) . '" onclick="window.location.href=\'' .
+                                                       htmlspecialchars($this->backPath . t3lib_extMgm::extRelPath('version') . 'cm1/index.php?table=pages&uid=' . $onlineId) . '\';" />';
                                                // Create onchange handler:
                                        $onChange = "window.location.href=this.options[this.selectedIndex].value;";
 
                                                // Controls:
-                                       if ($id==$onlineId)     {
-                                               $controls = '<img'.t3lib_iconWorks::skinImg($this->backPath,'gfx/blinkarrow_left.gif','width="5" height="9"').' class="absmiddle" alt="" /> <strong>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.online',1).'</strong>';
+                                       if ($id == $onlineId) {
+                                               $controls .= '<img' . t3lib_iconWorks::skinImg($this->backPath, 'gfx/blinkarrow_left.gif','width="5" height="9"') .
+                                                       ' class="absmiddle" alt="" /> <strong>' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.online', TRUE) .
+                                                       '</strong>';
                                        } elseif (!$noAction) {
-                                               $controls = '<a href="'.$this->issueCommand('&cmd[pages]['.$onlineId.'][version][swapWith]='.$id.'&cmd[pages]['.$onlineId.'][version][action]=swap',t3lib_div::linkThisScript(array('id'=>$onlineId))).'" class="nobr">'.
-                                                               '<img'.t3lib_iconWorks::skinImg($this->backPath,'gfx/insert1.gif','width="14" height="14"').' style="margin-right: 2px;" class="absmiddle" alt="" title="'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.swapPage',1).'" />'.
-                                                               '<strong>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.swap',1).'</strong></a>';
+                                               $controls .= '<a href="' . $this->issueCommand('&cmd[pages][' . $onlineId . '][version][swapWith]=' . $id .
+                                                       '&cmd[pages][' . $onlineId . '][version][action]=swap', t3lib_div::linkThisScript(array('id' => $onlineId))) .
+                                                       '" class="nobr">' . t3lib_iconWorks::getSpriteIcon('actions-version-swap-version', array(
+                                                               'title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.swapPage', TRUE),
+                                                               'style' => 'margin-left:5px;vertical-align:bottom;'
+                                                       )) . '<strong>' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.swap', TRUE) . '</strong></a>';
                                        }
 
                                                // Write out HTML code:
@@ -1866,32 +1871,33 @@ $str.=$this->docBodyTagBegin().
                                                -->
                                                <table border="0" cellpadding="0" cellspacing="0" id="typo3-versionSelector">
                                                        <tr>
-                                                               <td>'.$GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.php:ver.selVer',1).'</td>
+                                                               <td>' . $selectorLabel . '</td>
                                                                <td>
-                                                                       <select onchange="'.htmlspecialchars($onChange).'">
-                                                                               '.implode('',$opt).'
+                                                                       <select onchange="' . htmlspecialchars($onChange) . '">
+                                                                               ' . implode('', $opt) . '
                                                                        </select></td>
-                                                               <td>'.$controls.'</td>
+                                                               <td>' . $controls . '</td>
+                                                               <td>' . $management . '</td>
                                                        </tr>
                                                </table>
                                        ';
                                }
-                       } elseif ($GLOBALS['BE_USER']->workspace!==0) {
+                       } elseif ($GLOBALS['BE_USER']->workspace !== 0) {
 
                                        // Write out HTML code:
-                               switch($GLOBALS['BE_USER']->workspace)  {
+                               switch($GLOBALS['BE_USER']->workspace) {
                                        case 0:
-                                               $wsTitle = 'LIVE';
+                                               $wsTitle = $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:live', TRUE);
                                        break;
                                        case -1:
-                                               $wsTitle = 'Draft';
+                                               $wsTitle = $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:draft', TRUE);
                                        break;
                                        default:
                                                $wsTitle = $GLOBALS['BE_USER']->workspaceRec['title'];
                                        break;
                                }
 
-                               if (t3lib_BEfunc::isPidInVersionizedBranch($id)=='branchpoint') {
+                               if (t3lib_BEfunc::isPidInVersionizedBranch($id) == 'branchpoint') {
                                        return '
 
                                                <!--
@@ -1899,26 +1905,30 @@ $str.=$this->docBodyTagBegin().
                                                -->
                                                <table border="0" cellpadding="0" cellspacing="0" id="typo3-versionSelector">
                                                        <tr>
-                                                               <td>Workspace: "'.htmlspecialchars($wsTitle).'"</td>
-                                                               <td><em>Inside branch, no further versioning possible</em></td>
+                                                               <td>' . $selectorLabel . '</td>
+                                                               <td>Workspace: "' . htmlspecialchars($wsTitle) . '"</td>
+                                                               <td><em>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionSelect.inBranch', TRUE) . '</em></td>
                                                        </tr>
                                                </table>
                                        ';
                                } else {
                                                // Get Current page record:
-                                       $curPage = t3lib_BEfunc::getRecord('pages',$id);
+                                       $curPage = t3lib_BEfunc::getRecord('pages', $id);
                                                // If the selected page is not online, find the right ID
                                        $onlineId = ($curPage['pid']==-1 ? $curPage['t3ver_oid'] : $id);
                                                // The version of page:
                                        $verPage = t3lib_BEfunc::getWorkspaceVersionOfRecord($GLOBALS['BE_USER']->workspace, 'pages', $onlineId);
 
-                                       if (!$verPage)  {
+                                       if (!$verPage) {
 
-                                               if (!count(t3lib_BEfunc::countVersionsOfRecordsOnPage($GLOBALS['BE_USER']->workspace, $onlineId)))      {
-                                                       if ($GLOBALS['BE_USER']->workspaceVersioningTypeAccess(0))      {
+                                               if (!count(t3lib_BEfunc::countVersionsOfRecordsOnPage($GLOBALS['BE_USER']->workspace, $onlineId))) {
+                                                       if ($GLOBALS['BE_USER']->workspaceVersioningTypeAccess(0)) {
 
-                                                               $onClick = $this->issueCommand('&cmd[pages]['.$onlineId.'][version][action]=new&cmd[pages]['.$onlineId.'][version][treeLevels]=0',t3lib_div::linkThisScript(array('id'=>$onlineId)));
-                                                               $onClick = 'window.location.href=\''.$onClick.'\'; return false;';
+                                                               $onClick = $this->issueCommand('&cmd[pages][' . $onlineId . '][version][action]=new&cmd[pages][' . $onlineId . '][version][treeLevels]=0',
+                                                                       t3lib_div::linkThisScript(array(
+                                                                               'id' => $onlineId
+                                                                       )));
+                                                               $onClick = 'window.location.href=\'' . $onClick . '\'; return false;';
                                                                        // Write out HTML code:
                                                                return '
 
@@ -1927,14 +1937,16 @@ $str.=$this->docBodyTagBegin().
                                                                        -->
                                                                        <table border="0" cellpadding="0" cellspacing="0" id="typo3-versionSelector">
                                                                                <tr>
-                                                                                       <td>Workspace: "'.htmlspecialchars($wsTitle).'"</td>
+                                                                                       <td>' . $selectorLabel . '</td>
+                                                                                       <td>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:workspace', TRUE) . ': "' . htmlspecialchars($wsTitle) . '"</td>
                                                                                        <td>
-                                                                                               <input type="submit" value="New version of page" name="_" onclick="'.htmlspecialchars($onClick).'" /></td>
+                                                                                               <input type="button" value="New version of page" name="_" onclick="' . htmlspecialchars($onClick) . '" /></td>
                                                                                </tr>
                                                                        </table>
                                                                ';
                                                        }
-                                               } elseif ($GLOBALS['TYPO3_CONF_VARS']['BE']['elementVersioningOnly'] == FALSE && $GLOBALS['TYPO3_CONF_VARS']['BE']['newPagesVersioningType'] == 0) { // only add this info if old/deprecated newPagesVersioning is allowed
+                                               } elseif ($GLOBALS['TYPO3_CONF_VARS']['BE']['elementVersioningOnly'] == FALSE && $GLOBALS['TYPO3_CONF_VARS']['BE']['newPagesVersioningType'] == 0) {
+                                                               // only add this info if old/deprecated newPagesVersioning is allowed
                                                        return '
 
                                                                <!--
@@ -1942,15 +1954,20 @@ $str.=$this->docBodyTagBegin().
                                                                -->
                                                                <table border="0" cellpadding="0" cellspacing="0" id="typo3-versionSelector">
                                                                        <tr>
-                                                                               <td>Workspace: "'.htmlspecialchars($wsTitle).'"</td>
-                                                                               <td><em>Versions found on page, no "Page" versioning possible</em></td>
+                                                                               <td>' . $selectorLabel . '</td>
+                                                                               <td>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:workspace', TRUE) . ': "' . htmlspecialchars($wsTitle) . '"</td>
+                                                                               <td><em>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionSelect.versionsFound', TRUE) . '</em></td>
                                                                        </tr>
                                                                </table>
                                                        ';
                                                }
                                        } elseif ($verPage['t3ver_swapmode']==0) {
-                                               $onClick = $this->issueCommand('&cmd[pages]['.$onlineId.'][version][action]=swap&cmd[pages]['.$onlineId.'][version][swapWith]='.$verPage['uid'],t3lib_div::linkThisScript(array('id'=>$onlineId)));
-                                               $onClick = 'window.location.href=\''.$onClick.'\'; return false;';
+                                               $onClick = $this->issueCommand('&cmd[pages][' . $onlineId . '][version][action]=swap&cmd[pages][' .
+                                                       $onlineId . '][version][swapWith]=' . $verPage['uid'],
+                                                       t3lib_div::linkThisScript(array(
+                                                               'id' => $onlineId
+                                                       )));
+                                               $onClick = 'window.location.href=\'' . $onClick . '\'; return false;';
 
                                                        // Write out HTML code:
                                                return '
@@ -1960,9 +1977,11 @@ $str.=$this->docBodyTagBegin().
                                                        -->
                                                        <table border="0" cellpadding="0" cellspacing="0" id="typo3-versionSelector">
                                                                <tr>
-                                                                       <td>Workspace: "'.htmlspecialchars($wsTitle).'"</td>
+                                                                       <td>' . $selectorLabel . '</td>
+                                                                       <td>' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:workspace', TRUE) . ': "' . htmlspecialchars($wsTitle) . '"</td>
                                                                        <td>
-                                                                               <input type="submit" value="Publish page" name="_" onclick="'.htmlspecialchars($onClick).'" /></td>
+                                                                               <input type="button" value="' . $GLOBALS['LANG']->sL('LLL:EXT:version/locallang.xml:versionSelect.publish', TRUE) .
+                                                                                       '" onclick="' . htmlspecialchars($onClick) . '" /></td>
                                                                </tr>
                                                        </table>
                                                ';
@@ -2172,7 +2191,7 @@ $str.=$this->docBodyTagBegin().
                        $title = t3lib_BEfunc::getRecordTitle('pages', $pageRecord);
                } else {        // On root-level of page tree
                                // Make Icon
-                       $iconImg = t3lib_iconWorks::getSpriteIcon('apps-pagetree-root', array('title' => $GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename']));
+                       $iconImg = t3lib_iconWorks::getSpriteIcon('apps-pagetree-root', array('title' => htmlspecialchars($GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'])));
                        if($BE_USER->user['admin']) {
                                $theIcon = $GLOBALS['SOBE']->doc->wrapClickMenuOnIcon($iconImg, 'pages', 0);
                        } else {
@@ -2292,4 +2311,4 @@ if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/templ
 $GLOBALS['TBE_TEMPLATE'] = t3lib_div::makeInstance('template');
 
 
-?>
+?>
\ No newline at end of file