Fixed bug #14144: Positioning of toolbar elements broken, especially in Safari (thank...
[Packages/TYPO3.CMS.git] / typo3 / alt_palette.php
old mode 100755 (executable)
new mode 100644 (file)
index 483057e..60a9115
@@ -2,7 +2,7 @@
 /***************************************************************
 *  Copyright notice
 *
-*  (c) 1999-2008 Kasper Skaarhoj (kasperYYYY@typo3.com)
+*  (c) 1999-2009 Kasper Skaarhoj (kasperYYYY@typo3.com)
 *  All rights reserved
 *
 *  This script is part of the TYPO3 project. The TYPO3 project is
@@ -60,9 +60,6 @@
 
 require('init.php');
 require('template.php');
-require_once(PATH_t3lib.'class.t3lib_tceforms.php');
-require_once(PATH_t3lib.'class.t3lib_transferdata.php');
-require_once(PATH_t3lib.'class.t3lib_loaddbgroup.php');
 $LANG->includeLLFile('EXT:lang/locallang_alt_doc.xml');
 
 
@@ -77,6 +74,7 @@ $LANG->includeLLFile('EXT:lang/locallang_alt_doc.xml');
  * @author     Kasper Skaarhoj <kasperYYYY@typo3.com>
  * @package TYPO3
  * @subpackage core
+ * @deprecated since TYPO3 4.3, will be removed in TYPO3 4.5
  */
 class formRender extends t3lib_TCEforms {
 
@@ -247,15 +245,19 @@ class SC_alt_palette {
        function init() {
 
                        // Setting GPvars, etc.
-               $this->formName = t3lib_div::_GP('formName');
-               $this->GPbackref = t3lib_div::_GP('backRef');
+               $this->formName = $this->sanitizeHtmlName(t3lib_div::_GP('formName'));
+               $this->GPbackref = $this->sanitizeHtmlName(t3lib_div::_GP('backRef'));
                $this->inData = t3lib_div::_GP('inData');
-               $this->prependFormFieldNames = t3lib_div::_GP('prependFormFieldNames');
+                       // safeguards the input with whitelisting
+               if (!preg_match('/^[a-zA-Z0-9\-_\:]+$/', $this->inData)) {
+                       $this->inData = '';
+               }
+               $this->prependFormFieldNames =
+                       $this->sanitizeHtmlName(t3lib_div::_GP('prependFormFieldNames'));
                $this->rec = t3lib_div::_GP('rec');
 
                        // Making references:
                $this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';
-#              $this->backRef = 'top.content.list_frame.view_frame';
 
                $this->formRef = $this->backRef.'.document.'.$this->formName;
 
@@ -293,6 +295,24 @@ class SC_alt_palette {
        }
 
        /**
+        * Sanitizes HTML names, IDs, frame names etc.
+        *
+        * @param string $input the string to sanitize
+        *
+        * @return string the unchanged $input if $input is considered to be harmless,
+        *                an empty string otherwise
+        */
+       protected function sanitizeHtmlName($input) {
+               $result = $input;
+
+               if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_\-\.]*$/', $result)) {
+                       $result = '';
+               }
+
+               return $result;
+       }
+
+       /**
         * Main function, rendering the palette form
         *
         * @return      void
@@ -300,7 +320,6 @@ class SC_alt_palette {
        function main() {
 
                $this->content='';
-               $this->content.=$this->doc->startPage('TYPO3 Edit Palette');
 
                $inData = explode(':',$this->inData);
 
@@ -330,6 +349,11 @@ class SC_alt_palette {
                                // Add all the content, including JavaScript as needed.
                        $this->content.=$tceforms->printNeededJSFunctions_top().$formContent.$tceforms->printNeededJSFunctions();
                }
+
+               // Assemble the page:
+               $tempContent = $this->content;
+               $this->content = $this->doc->startPage('TYPO3 Edit Palette');
+               $this->content.= $tempContent;
        }
 
        /**
@@ -344,25 +368,17 @@ class SC_alt_palette {
        }
 }
 
-// Include extension?
+
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/alt_palette.php'])  {
        include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['typo3/alt_palette.php']);
 }
 
 
 
-
-
-
-
-
-
-
-
-
 // Make instance:
 $SOBE = t3lib_div::makeInstance('SC_alt_palette');
 $SOBE->init();
 $SOBE->main();
 $SOBE->printContent();
-?>
+
+?>
\ No newline at end of file