* Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
* Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
* Fixed bug #12306: XSS vulnerability in module dispatcher
* Fixed bug #12304: Frame inclusion in the backend through alt_mod_frameset (thanks to Oliver Klee)
* Fixed bug #12305: XSS vulnerability in view_help.php / tfID parameter (thanks to Oliver Klee)
* Fixed bug #12306: XSS vulnerability in module dispatcher
+ * Fixed bug #12307: XSS vulnerability in alt_palette (thanks to Oliver Klee)
2009-10-21 Sebastian Kurfuerst <sebastian@typo3.org>
2009-10-21 Sebastian Kurfuerst <sebastian@typo3.org>
function init() {
// Setting GPvars, etc.
function init() {
// Setting GPvars, etc.
- $this->formName = t3lib_div::_GP('formName');
- $this->GPbackref = t3lib_div::_GP('backRef');
+ $this->formName = $this->sanitizeHtmlName(t3lib_div::_GP('formName'));
+ $this->GPbackref = $this->sanitizeHtmlName(t3lib_div::_GP('backRef'));
$this->inData = t3lib_div::_GP('inData');
$this->inData = t3lib_div::_GP('inData');
- $this->prependFormFieldNames = t3lib_div::_GP('prependFormFieldNames');
+ // safeguards the input with whitelisting
+ if (!preg_match('/^[a-zA-Z0-9\-_\:]+$/', $this->inData)) {
+ $this->inData = '';
+ }
+ $this->prependFormFieldNames =
+ $this->sanitizeHtmlName(t3lib_div::_GP('prependFormFieldNames'));
$this->rec = t3lib_div::_GP('rec');
// Making references:
$this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';
$this->rec = t3lib_div::_GP('rec');
// Making references:
$this->backRef = $this->GPbackref ? $this->GPbackref : 'window.opener';
-# $this->backRef = 'top.content.list_frame.view_frame';
$this->formRef = $this->backRef.'.document.'.$this->formName;
$this->formRef = $this->backRef.'.document.'.$this->formName;
+ /**
+ * Sanitizes HTML names, IDs, frame names etc.
+ *
+ * @param string $input the string to sanitize
+ *
+ * @return string the unchanged $input if $input is considered to be harmless,
+ * an empty string otherwise
+ */
+ protected function sanitizeHtmlName($input) {
+ $result = $input;
+
+ if (!preg_match('/^[a-zA-Z][a-zA-Z0-9_\-\.]*$/', $result)) {
+ $result = '';
+ }
+
+ return $result;
+ }
+
/**
* Main function, rendering the palette form
*
/**
* Main function, rendering the palette form
*