[SECURITY] Link fields accept Javascript code when using URI Data Scheme 70/49070/2
authorValentin Despa <valentin.despa@aoe.com>
Tue, 19 Jul 2016 10:16:43 +0000 (12:16 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:16:47 +0000 (12:16 +0200)
JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent that,
the URI scheme and prefix "data:" will be disallowed.

Resolves: #76358
Releases: master,7.6,6.2
Security-Commit: 872e3e0dd290c61b3ec43c43531c1b2e60ee6e2d
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: Ia66178567bf7b64cc70c1c2994f442b13bcd62cd
Reviewed-on: https://review.typo3.org/49070
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

index 025a00d..997b47d 100644 (file)
@@ -6311,8 +6311,8 @@ class ContentObjectRenderer
                 // Resource was not found
                 return $linkText;
             }
-        // Disallow direct javascript: links
-        } elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+        // Disallow direct javascript: or data: links
+        } elseif (in_array(strtolower(trim($linkHandlerKeyword)), array('javascript', 'data'), true)) {
             return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];