[BUGFIX] XSS in TYPO3 core when using typolink.parameter JS-Popup Window
authorMarco Bresch <marco.bresch@starfinanz.de>
Wed, 27 Jul 2011 10:30:08 +0000 (12:30 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:31:26 +0000 (12:31 +0200)
Change-Id: I1e04d0da3d139eef14d38f3ea4efe86172f4093d
Resolves: #28189
Reviewed-on: http://review.typo3.org/3766
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tstemplate.php
typo3/sysext/cms/tslib/class.tslib_content.php

index 4577470..c90b2d7 100644 (file)
@@ -1367,7 +1367,7 @@ class t3lib_TStemplate {
                        // linkVars
                if ($GLOBALS['TSFE']->config['config']['uniqueLinkVars']) {
                        if ($addParams) {
-                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams));
+                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams), '', FALSE, TRUE);
                        } else {
                                $LD['linkVars'] = $GLOBALS['TSFE']->linkVars;
                        }
index 0edddbc..dd4bd89 100644 (file)
@@ -5788,8 +5788,8 @@ class tslib_cObj {
                                        $target = '';
                                }
 
-                               $onClick = "vHWin=window.open('" . $GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url']) .
-                                       "','FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
+                               $onClick = "vHWin=window.open(" . t3lib_div::quoteJSvalue($GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url'])) .
+                                       ",'FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
                                $res = '<a href="' . htmlspecialchars($finalTagParts['url']) . '"' .
                                        $target . ' onclick="' . htmlspecialchars($onClick) . '"' .
                                        ($title ? ' title="' . $title . '"' : '') .
@@ -6124,7 +6124,7 @@ class tslib_cObj {
                        $newQueryArray = t3lib_div::array_merge_recursive_overrule($newQueryArray, $overruleQueryArguments, TRUE);
                }
 
-               return t3lib_div::implodeArrayForUrl('', $newQueryArray);
+               return t3lib_div::implodeArrayForUrl('', $newQueryArray, '', FALSE, TRUE);
        }