[SECURITY] Encode link text properly in typolink 14/40814/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 14:53:48 +0000 (16:53 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:17:30 +0000 (16:17 +0200)
commitd7feb40c8d277c6b6ab3a548313be1e1a2084299
treead5296e6963ffdbecfe4f15b94754079b3f12950
parent128d2412537f3439774b1fde4e7d0fad06751f3d
[SECURITY] Encode link text properly in typolink

If the to be linked text is empty the ContentObjectRenderer chooses an
appropriate link text but doesn't encode it properly. As hsc() was
abandoned before this patch adds the parseFunc functionality to keep
common html tags which might be used by the editor but escapes unknown
characters and tags.

Resolves: #34107
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-004
Change-Id: I9a1442932c47032e3135f05b0994efe16689cdea
Reviewed-on: http://review.typo3.org/40814
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php