Fixed bug #17133: Pagetree - qtip can be used to execute custom javascript (XSS)...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_page.php
index d0d6b2a..a81bc61 100644 (file)
@@ -2,7 +2,7 @@
 /***************************************************************
  *  Copyright notice
  *
- *  (c) 1999-2010 Kasper Skårhøj (kasperYYYY@typo3.com)
+ *  (c) 1999-2011 Kasper Skårhøj (kasperYYYY@typo3.com)
  *  All rights reserved
  *
  *  This script is part of the TYPO3 project. The TYPO3 project is
@@ -346,6 +346,7 @@ class t3lib_pageSelect {
 
                                if (is_array($row)) {
                                        $row['_PAGES_OVERLAY'] = TRUE;
+                                       $row['_PAGES_OVERLAY_UID'] = $row['uid'];
 
                                                // Unset vital fields that are NOT allowed to be overlaid:
                                        unset($row['uid']);
@@ -617,7 +618,7 @@ class t3lib_pageSelect {
                }
 
                        // Initialize:
-               $selFields = t3lib_div::uniqueList('pid,uid,t3ver_oid,t3ver_wsid,t3ver_state,t3ver_swapmode,title,alias,nav_title,media,layout,hidden,starttime,endtime,fe_group,extendToSubpages,doktype,TSconfig,storage_pid,is_siteroot,mount_pid,mount_pid_ol,fe_login_mode,' . $GLOBALS['TYPO3_CONF_VARS']['FE']['addRootLineFields']);
+               $selFields = t3lib_div::uniqueList('pid,uid,t3ver_oid,t3ver_wsid,t3ver_state,t3ver_swapmode,title,alias,nav_title,media,layout,hidden,starttime,endtime,fe_group,extendToSubpages,doktype,TSconfig,storage_pid,is_siteroot,mount_pid,mount_pid_ol,fe_login_mode,be_layout_next_level,' . $GLOBALS['TYPO3_CONF_VARS']['FE']['addRootLineFields']);
                $this->error_getRootLine = '';
                $this->error_getRootLine_failPid = 0;
 
@@ -1324,7 +1325,7 @@ class t3lib_pageSelect {
                        if (($table == 'pages' || (int) $TCA[$table]['ctrl']['versioningWS'] >= 2) && $workspace !== 0) {
 
                                        // Select workspace version of record:
-                               $rows = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows(
+                               $row = $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow(
                                        $fields,
                                        $table,
                                        'pid!=-1 AND
@@ -1334,8 +1335,8 @@ class t3lib_pageSelect {
                                        $this->deleteClause($table)
                                );
 
-                               if (is_array($rows[0])) {
-                                       return $rows[0];
+                               if (is_array($row)) {
+                                       return $row;
                                }
                        }
                }
@@ -1366,7 +1367,7 @@ class t3lib_pageSelect {
                        }
 
                                // Select workspace version of record, only testing for deleted.
-                       list($newrow) = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows(
+                       $newrow = $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow(
                                $fields,
                                $table,
                                'pid=-1 AND
@@ -1377,7 +1378,7 @@ class t3lib_pageSelect {
 
                                // If version found, check if it could have been selected with enableFields on as well:
                        if (is_array($newrow)) {
-                               if ($bypassEnableFieldsCheck || $GLOBALS['TYPO3_DB']->exec_SELECTgetRows(
+                               if ($bypassEnableFieldsCheck || $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow(
                                        'uid',
                                        $table,
                                        'pid=-1 AND
@@ -1391,7 +1392,7 @@ class t3lib_pageSelect {
                                }
                        } else {
                                        // OK, so no workspace version was found. Then check if online version can be selected with full enable fields and if so, return 1:
-                               if ($bypassEnableFieldsCheck || $GLOBALS['TYPO3_DB']->exec_SELECTgetRows(
+                               if ($bypassEnableFieldsCheck || $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow(
                                        'uid',
                                        $table,
                                        'uid=' . intval($uid) . $enFields
@@ -1421,11 +1422,8 @@ class t3lib_pageSelect {
                }
                else {
                        if ($wsid > 0) {
-                               $ws = $GLOBALS['TYPO3_DB']->exec_SELECTgetRows('*', 'sys_workspace', 'uid=' . intval($wsid) . ' AND deleted=0'); // No $TCA yet!
-                               if (count($ws)) {
-                                       $ws = $ws[0];
-                               }
-                               else {
+                               $ws = $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow('*', 'sys_workspace', 'uid=' . intval($wsid) . ' AND deleted=0'); // No $TCA yet!
+                               if (!is_array($ws)) {
                                        return FALSE;
                                }
                        }
@@ -1440,8 +1438,8 @@ class t3lib_pageSelect {
 }
 
 
-if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_page.php']) {
-       include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_page.php']);
+if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_page.php'])) {
+       include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['t3lib/class.t3lib_page.php']);
 }
 
 ?>
\ No newline at end of file