[SECURITY] Disallow javascript & data scheme in URL link handler 41/61141/2
authorOliver Hader <oliver@typo3.org>
Tue, 25 Jun 2019 06:41:16 +0000 (08:41 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 25 Jun 2019 06:41:21 +0000 (08:41 +0200)
commit4c003f80b8b25def173268b8b069446c4fcc313a
tree074558612399947673573950aee139a2ddd6a9b8
parentd593a69cce127af59d62d2c22184d491cd9f5408
[SECURITY] Disallow javascript & data scheme in URL link handler

URLs defined using TYPO3's internal t3://url/?url=... notation are
now hardened against using `javascript:` and`data:` URL schemes.

Resolves: #88476
Releases: master, 9.5, 8.7
Security-Commit: 1a873c662524a62b192661da45d27e223e517d18
Security-Bulletin: TYPO3-CORE-SA-2019-015
Change-Id: Ia9ca8784a1779492762e5a36fcb1ada67bb6c56a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61141
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/LinkHandling/UrlLinkHandler.php
typo3/sysext/core/Tests/Unit/LinkHandling/UrlLinkHandlerTest.php
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php