[BUGFIX] Invalid CSRF token on viewing page using page-tree context menu 97/44297/2
authorOliver Hader <oliver@typo3.org>
Mon, 26 Oct 2015 15:33:20 +0000 (16:33 +0100)
committerWouter Wolters <typo3@wouterwolters.nl>
Thu, 29 Oct 2015 13:56:17 +0000 (14:56 +0100)
Frontend previews triggered using the context menu of the page-tree are
causing an exception concerning an "invalid CSRF token". The reason for
this is that URL loaded in the context menu are delivered via ExtDirect
and thus are encoded for a JavaScript context. Ampersands are encoded
as well, using the unicode serialization in JSON ('\u0026').

This issue is solved by decoding the value again and thus resolve the
expected URL to be delivered as XHR result.

Resolves: #69021
Releases: master
Change-Id: I5836ae0f3d461f6e3a091c783b9fccd4412eaffb
Reviewed-on: https://review.typo3.org/44297
Reviewed-by: Daniel Goerz <ervaude@gmail.com>
Tested-by: Daniel Goerz <ervaude@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/backend/Classes/Tree/Pagetree/ExtdirectTreeCommands.php

index 20ea4ba..4473f37 100644 (file)
@@ -325,16 +325,21 @@ class ExtdirectTreeCommands
     /**
      * Returns the view link of a given node
      *
-     * @param stdClass $nodeData
+     * @param \stdClass $nodeData
      * @return string
      */
     public static function getViewLink($nodeData)
     {
         /** @var $node \TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode */
         $node = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Tree\Pagetree\PagetreeNode::class, (array)$nodeData);
-        $javascriptLink = stripslashes(BackendUtility::viewOnClick($node->getId()));
-        preg_match('/window\\.open\\(\'([^\']+)\'/i', $javascriptLink, $match);
-        return $match[1];
+        $javascriptLink = BackendUtility::viewOnClick($node->getId());
+        $extractedLink = '';
+        if (preg_match('/window\\.open\\(\'([^\']+)\'/i', $javascriptLink, $match)) {
+            // Clean JSON-serialized ampersands ('&')
+            // @see GeneralUtility::quoteJSvalue()
+            $extractedLink = json_decode('"' . trim($match[1], '"') . '"', JSON_HEX_AMP);
+        };
+        return $extractedLink;
     }
 
     /**