[BUGFIX] Fix HTML in modal of OnlineMedia.js 40/59140/3
authorBenni Mack <benni@typo3.org>
Thu, 13 Dec 2018 20:57:13 +0000 (21:57 +0100)
committerBenni Mack <benni@typo3.org>
Thu, 13 Dec 2018 21:37:02 +0000 (22:37 +0100)
Allows to call the OnlineMedia modal box again.

This change also adapts the buttons within
a Modal to be text-only.

Resolves: #87144
Releases: master, 8.7
Change-Id: Id08356aad3eb319c59af1411a14131715c8159d0
Reviewed-on: https://review.typo3.org/59140
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/backend/Resources/Public/JavaScript/Modal.js
typo3/sysext/backend/Resources/Public/JavaScript/OnlineMedia.js

index 7041595..7b65573 100644 (file)
@@ -333,7 +333,7 @@ define(['jquery',
       for (i = 0; i < buttons.length; i++) {
         var button = buttons[i];
         var $button = $('<button />', {class: 'btn'});
-        $button.html('<span>' + button.text + '</span>');
+        $button.html('<span>' + securityUtility.encodeHtml(button.text, false) + '</span>');
         if (button.active) {
           $button.addClass('t3js-active');
         }
index b41c9de..6eca16b 100644 (file)
@@ -19,8 +19,9 @@ define(['jquery',
   'nprogress',
   'TYPO3/CMS/Backend/Modal',
   'TYPO3/CMS/Backend/Severity',
+  'TYPO3/CMS/Core/SecurityUtility',
   'TYPO3/CMS/Lang/Lang'
-], function($, NProgress, Modal, Severity) {
+], function($, NProgress, Modal, Severity, SecurityUtility) {
   'use strict';
 
   /**
@@ -31,6 +32,7 @@ define(['jquery',
    */
   var OnlineMediaPlugin = function(element) {
     var me = this;
+    me.securityUtility = new SecurityUtility();
     me.$btn = $(element);
     me.target = me.$btn.data('target-folder');
     me.irreObjectUid = me.$btn.data('file-irre-object');
@@ -84,17 +86,27 @@ define(['jquery',
      */
     me.triggerModal = function() {
       var allowedExtMarkup = $.map(me.allowed.split(','), function(ext) {
-        return '<span class="label label-success">' + ext.toUpperCase() + '</span>';
+        return '<span class="label label-success">' + me.securityUtility.encodeHtml(ext.toUpperCase(), false) + '</span>';
       });
+      var $markup = $('<div>')
+        .attr('class', 'form-control-wrap')
+        .append([
+          $('<input>')
+            .attr('type', 'text')
+            .attr('class', 'form-control online-media-url')
+            .attr('placeholder', me.placeholder),
+            $('<div>')
+              .attr('class', 'help-block')
+              .html(me.securityUtility.encodeHtml(me.allowedHelpText, false) + '<br>' + allowedExtMarkup.join(' '))
+        ]);
+
       var $modal = Modal.show(
         me.$btn.attr('title'),
-        '<div class="form-control-wrap">' +
-        '<input type="text" class="form-control online-media-url" placeholder="' + me.placeholder + '" />' +
-        '</div><div class="help-block">' + me.allowedHelpText + '<br>' + allowedExtMarkup.join(' ') + '</div>',
+        $markup,
         Severity.notice,
         [{
           text: me.btnSubmit,
-          btnClass: 'btn',
+          btnClass: 'btn btn-primary',
           name: 'ok',
           trigger: function() {
             var url = $modal.find('input.online-media-url').val();