[SECURITY] XSS in header link of all content elements 84/26184/2
authorAnja Leichsenring <aleichsenring@ab-softlab.de>
Tue, 10 Dec 2013 09:51:29 +0000 (10:51 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 10 Dec 2013 09:51:33 +0000 (10:51 +0100)
The second typolink parameter, that is the target, can be abused to
introduce XSS code into the generated link. Escaping the parameter
with quoteJSvalue solves the problem.

Change-Id: I1652e2f1e9fea660d2a5a9e74ace6317fe05ba3b
Fixes: #31206
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Security-Commit: 4a1a06ad0124defafb991639b19d81f81f7d5b95
Security-Bulletin: TYPO3-CORE-SA-2013-004
Reviewed-on: https://review.typo3.org/26184
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/cms/tslib/class.tslib_content.php

index b2e867c..166ced1 100644 (file)
@@ -5955,7 +5955,7 @@ class tslib_cObj {
                                }
 
                                $onClick = "vHWin=window.open(" . t3lib_div::quoteJSvalue($GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url']), TRUE) .
-                                       ",'FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
+                                       ",'FEopenLink'," . t3lib_div::quoteJSvalue($JSwindowParams) . ");vHWin.focus();return false;";
                                $res = '<a href="' . htmlspecialchars($finalTagParts['url']) . '"' .
                                        $target . ' onclick="' . htmlspecialchars($onClick) . '"' .
                                        ($title ? ' title="' . $title . '"' : '') .