[TASK] Use external Core Project DBAL as Git submodule
[Packages/TYPO3.CMS.git] / typo3 / wizard_tsconfig.php
index b4e7efa..1bcf114 100644 (file)
@@ -2,7 +2,7 @@
 /***************************************************************
 *  Copyright notice
 *
-*  (c) 1999-2010 Kasper Skaarhoj (kasperYYYY@typo3.com)
+*  (c) 1999-2011 Kasper Skårhøj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
 /**
  * Wizard for inserting TSconfig in form fields. (page,user or TS)
  *
- * $Id$
- * Revised for TYPO3 3.6 November/2003 by Kasper Skaarhoj
+ * Revised for TYPO3 3.6 November/2003 by Kasper Skårhøj
  * XHTML compliant
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  */
 /**
  * [CLASS/FUNCTION INDEX of SCRIPT]
@@ -83,7 +82,7 @@ $LANG->includeLLFile('EXT:lang/locallang_wizards.xml');
 /**
  * TypoScript parser extension class.
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage core
  */
@@ -112,7 +111,7 @@ class ext_TSparser extends t3lib_tsparser_ext {
 /**
  * Script Class for rendering the TSconfig/TypoScript property browser.
  *
- * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
+ * @author     Kasper Skårhøj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage core
  */
@@ -156,7 +155,9 @@ class SC_wizard_tsconfig {
                $this->objString = t3lib_div::_GP('objString');
                $this->onlyProperty = t3lib_div::_GP('onlyProperty');
                        // Preparing some JavaScript code:
-               if (!is_array($this->P['fieldChangeFunc']))     $this->P['fieldChangeFunc']=array();
+               if (!$this->areFieldChangeFunctionsValid()) {
+                       $this->P['fieldChangeFunc']=array();
+               }
                unset($this->P['fieldChangeFunc']['alert']);
                $update='';
                foreach($this->P['fieldChangeFunc'] as $k=>$v)  {
@@ -301,13 +302,13 @@ class SC_wizard_tsconfig {
                        // Adding link to TSref:
                if ($this->mode=='tsref')       {
                        $this->content.=$this->doc->section($LANG->getLL('tsprop_TSref'),'
-                       <a href="'.htmlspecialchars('http://typo3.org/documentation/document-library/references/doc_core_tsref/current/view/').'" target="_blank">'.$LANG->getLL('tsprop_TSref',1).'</a>
+                       <a href="'. TYPO3_URL_DOCUMENTATION_TSREF.'" target="_blank">'.$LANG->getLL('tsprop_TSref',1).'</a>
                        ',0,1);
                }
                        // Adding link to admin guides etc:
                if ($this->mode=='page' || $this->mode=='beuser')       {
                        $this->content.=$this->doc->section($LANG->getLL('tsprop_tsconfig'),'
-                       <a href="'.htmlspecialchars('http://typo3.org/documentation/document-library/references/doc_core_tsconfig/current/view/').'" target="_blank">'.$LANG->getLL('tsprop_tsconfig',1).'</a>
+                       <a href="' . TYPO3_URL_DOCUMENTATION_TSCONFIG . '" target="_blank">' . $LANG->getLL('tsprop_tsconfig',1) . '</a>
                        ',0,1);
                }
        }
@@ -621,11 +622,24 @@ class SC_wizard_tsconfig {
                        // Return link:
                return $out;
        }
+
+       /**
+        * Determines whether submitted field change functions are valid
+        * and are coming from the system and not from an external abuse.
+        *
+        * @return boolean Whether the submitted field change functions are valid
+        */
+       protected function areFieldChangeFunctionsValid() {
+               return (
+                       isset($this->P['fieldChangeFunc']) && is_array($this->P['fieldChangeFunc']) && isset($this->P['fieldChangeFuncHash'])
+                       && $this->P['fieldChangeFuncHash'] == t3lib_div::hmac(serialize($this->P['fieldChangeFunc']))
+               );
+       }
 }
 
 
-if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/wizard_tsconfig.php'])      {
-       include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/wizard_tsconfig.php']);
+if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['typo3/wizard_tsconfig.php'])) {
+       include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['typo3/wizard_tsconfig.php']);
 }