[SECURITY] XSS in header link of all content elements 84/26184/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:51:29 +0000 (10:51 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:51:33 +0000 (10:51 +0100)
commit60576d141acefdc6ae8799502f5f000df89aed35
tree98e192f5c8b7b794dc4bf198c8196c03f562e208
parent77dc1c4e5e56233c126cf34994b43ce6d5340b7a
[SECURITY] XSS in header link of all content elements

The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: I1652e2f1e9fea660d2a5a9e74ace6317fe05ba3b
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 4a1a06ad0124defafb991639b19d81f81f7d5b95
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26184
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/tslib/class.tslib_content.php