[SECURITY] Link fields accept inline javascript code 65/45265/2
authorOliver Hader <oliver@typo3.org>
Tue, 15 Dec 2015 10:33:48 +0000 (11:33 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:33:54 +0000 (11:33 +0100)
commit25a1473907f0f4b2bb0147c661981940c57a4555
tree035cdf085c2ae0752bf686198eb55f3a925fa829
parentdf2d3d7f46b485e1c5c6895adb5496c11ef8184b
[SECURITY] Link fields accept inline javascript code

JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent
that, the URI scheme and prefix "javascript:" will be disallowed.

The extension "javascript_handler" allows however to bring back
that insecure behavior since some installations might rely on it.

Resolves: #71698
Releases: master, 6.2
Security-Commit: c9f5b7ced589c2d58a8c6099e5491923ace2e9a7
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I5a0bcb990686fa1e768974afe561f6b195906552
Reviewed-on: https://review.typo3.org/45265
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php