[BUGFIX] XSS in TYPO3 core when using typolink.parameter JS-Popup Window
authorMarco Bresch <marco.bresch@starfinanz.de>
Wed, 27 Jul 2011 10:29:58 +0000 (12:29 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:31:16 +0000 (12:31 +0200)
Change-Id: I1ff91f78e8a011e751e38d7a3c87adcfe19cf80a
Resolves: #28189
Reviewed-on: http://review.typo3.org/3763
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tstemplate.php
typo3/sysext/cms/tslib/class.tslib_content.php

index ac11300..6e71588 100644 (file)
@@ -1470,7 +1470,7 @@ class t3lib_TStemplate    {
                        // linkVars
                if ($GLOBALS['TSFE']->config['config']['uniqueLinkVars']) {
                        if ($addParams) {
-                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('',t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars.$addParams));
+                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams), '', FALSE, TRUE);
                        } else {
                                $LD['linkVars'] = $GLOBALS['TSFE']->linkVars;
                        }
index eb0f596..4b6792d 100644 (file)
@@ -6231,7 +6231,8 @@ class tslib_cObj {
                                        $target = '';
                                }
 
-                               $onClick="vHWin=window.open('".$GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url'])."','FEopenLink','".$JSwindowParams."');vHWin.focus();return false;";
+                               $onClick="vHWin=window.open(" . t3lib_div::quoteJSvalue($GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url'])) .
+                                       ",'FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
                                $res = '<a href="'.htmlspecialchars($finalTagParts['url']).'"'. $target .' onclick="'.htmlspecialchars($onClick).'"'.($title?' title="'.$title.'"':'').($linkClass?' class="'.$linkClass.'"':'').$finalTagParts['aTagParams'].'>';
                        } else {
                                if ($GLOBALS['TSFE']->spamProtectEmailAddresses === 'ascii' && $finalTagParts['TYPE'] === 'mailto') {
@@ -6501,7 +6502,7 @@ class tslib_cObj {
                        $newQueryArray = t3lib_div::array_merge_recursive_overrule($newQueryArray, $overruleQueryArguments, TRUE);
                }
 
-               return t3lib_div::implodeArrayForUrl('', $newQueryArray);
+               return t3lib_div::implodeArrayForUrl('', $newQueryArray, '', FALSE, TRUE);
        }