[SECURITY] Link fields accept inline javascript code 65/45265/2
authorOliver Hader <oliver@typo3.org>
Tue, 15 Dec 2015 10:33:48 +0000 (11:33 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:33:54 +0000 (11:33 +0100)
JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent
that, the URI scheme and prefix "javascript:" will be disallowed.

The extension "javascript_handler" allows however to bring back
that insecure behavior since some installations might rely on it.

Resolves: #71698
Releases: master, 6.2
Security-Commit: c9f5b7ced589c2d58a8c6099e5491923ace2e9a7
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I5a0bcb990686fa1e768974afe561f6b195906552
Reviewed-on: https://review.typo3.org/45265
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

index dfa89df..41d8ce8 100644 (file)
@@ -5821,6 +5821,9 @@ class ContentObjectRenderer {
                                        // Resource was not found
                                        return $linktxt;
                                }
+                       // Disallow direct javascript: links
+                       } elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+                               return $linktxt;
                        }
                        // Link parameter value
                        $link_param = trim($link_paramA[0]);