[SECURITY] Encode link text properly in typolink 21/40821/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 14:53:48 +0000 (16:53 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:20:46 +0000 (16:20 +0200)
commit9be2f6b1cc7339dfb7ae420ff57525f3336dd122
tree354e52157f8723efa5dd7761703d0d2f8a6aef69
parent7695d91fca1a96a3a3e7466097ae92c32b1130d8
[SECURITY] Encode link text properly in typolink

If the to be linked text is empty the ContentObjectRenderer chooses an
appropriate link text but doesn't encode it properly. As hsc() was
abandoned before this patch adds the parseFunc functionality to keep
common html tags which might be used by the editor but escapes unknown
characters and tags.

Resolves: #34107
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: I6df535562770cff58329998efcc01e387458aab9
Reviewed-on: http://review.typo3.org/40821
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php