[SECURITY] Encode URL for use in JavaScript 70/30270/2
authorMarkus Klein <klein.t3@mfc-linz.at>
Thu, 22 May 2014 07:31:08 +0000 (09:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 22 May 2014 07:31:12 +0000 (09:31 +0200)
The url for the Open in New Window button must be quoted for
use in JavaScript to prevent XSS issues.

Change-Id: If3600662e79fb0945ca62b3a25feaf001180b88d
Fixes: #48693
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 8a9c1615f82cf0a8c3449ae37f47338da132e505
Security-Bulletin: TYPO3-CORE-SA-2014-001
Reviewed-on: https://review.typo3.org/30270
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/alt_doc.php

index 67d2c59..14fa506 100644 (file)
@@ -1020,7 +1020,7 @@ class SC_alt_doc {
                if ($this->returnUrl == 'close.html') {
                        return '';
                }
-               $aOnClick = 'vHWin=window.open(\''.t3lib_div::linkThisScript(array('returnUrl'=>'close.html')).'\',\''.md5($this->R_URI).'\',\'width=670,height=500,status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
+               $aOnClick = 'vHWin=window.open('.t3lib_div::quoteJSvalue(t3lib_div::linkThisScript(array('returnUrl'=>'close.html'))).',\''.md5($this->R_URI).'\',\'width=670,height=500,status=0,menubar=0,scrollbars=1,resizable=1\');vHWin.focus();return false;';
                return '<a href="#" onclick="'.htmlspecialchars($aOnClick).'" title="' . $LANG->sL('LLL:EXT:lang/locallang_core.php:labels.openInNewWindow', TRUE) . '">' .
                                t3lib_iconWorks::getSpriteIcon('actions-window-open') .
                        '</a>';