[SECURITY] Encode link text properly in typolink 07/40807/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 14:53:48 +0000 (16:53 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:09:46 +0000 (16:09 +0200)
commit32d22760cc03ab1241c7ff72882da363a019d23f
tree3354dced9ce83c99496de5e6b326cf765257ca6d
parent6fa4c8e3e196b8d50d0c65e4fd673cd0aded1bda
[SECURITY] Encode link text properly in typolink

If the to be linked text is empty the ContentObjectRenderer chooses an
appropriate link text but doesn't encode it properly. As hsc() was
abandoned before this patch adds the parseFunc functionality to keep
common html tags which might be used by the editor but escapes unknown
characters and tags.

Resolves: #34107
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: I9730cb81c315a76a8fc0ef184362cabb9a59f2e5
Reviewed-on: http://review.typo3.org/40807
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php