[SECURITY] Link fields accept inline javascript code 77/45277/2
authorOliver Hader <oliver@typo3.org>
Tue, 15 Dec 2015 10:36:44 +0000 (11:36 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:36:52 +0000 (11:36 +0100)
commitde1755a6dcff9b037c6d5a1fa340ba100aff054a
treee020b3230e9f0edba6af1e093d50016b601ac548
parentc9fab9f74ccc27c13d487972f644e1f2d5045e21
[SECURITY] Link fields accept inline javascript code

JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent
that, the URI scheme and prefix "javascript:" will be disallowed.

The extension "javascript_handler" allows however to bring back
that insecure behavior since some installations might rely on it.

Resolves: #71698
Releases: master, 6.2
Security-Commit: c854186c419f26a109afaf068149a58ef1745f32
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I7dbed505624718010023cd8192ff7174a6a43fa6
Reviewed-on: https://review.typo3.org/45277
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php