[BUGFIX] XSS in browse_links
authorGeorg Ringer <mail@ringerge.org>
Wed, 27 Jul 2011 10:29:11 +0000 (12:29 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:30:30 +0000 (12:30 +0200)
Change-Id: Id9147d23bd1db22f346e938fabeffa5b1bce0eb5
Resolves: #24497
Reviewed-on: http://review.typo3.org/3753
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/class.browse_links.php

index f008a0a..00736c6 100644 (file)
@@ -879,19 +879,19 @@ class browse_links {
                }
 
                        // Initializing the target value (RTE)
-               $this->setTarget = ($this->curUrlArray['target'] != '-') ? $this->curUrlArray['target'] : '';
+               $this->setTarget = ($this->curUrlArray['target'] != '-') ? rawurlencode($this->curUrlArray['target']) : '';
                if ($this->thisConfig['defaultLinkTarget'] && !isset($this->curUrlArray['target']))     {
                        $this->setTarget=$this->thisConfig['defaultLinkTarget'];
                }
 
                        // Initializing the class value (RTE)
-               $this->setClass = ($this->curUrlArray['class'] != '-') ? $this->curUrlArray['class'] : '';
+               $this->setClass = ($this->curUrlArray['class'] != '-') ? rawurlencode($this->curUrlArray['class']) : '';
 
                        // Initializing the title value (RTE)
-               $this->setTitle = ($this->curUrlArray['title'] != '-') ? $this->curUrlArray['title'] : '';
+               $this->setTitle = ($this->curUrlArray['title'] != '-') ? rawurlencode($this->curUrlArray['title']) : '';
                
                        // Initializing the params value
-               $this->setParams = ($this->curUrlArray['params'] != '-') ? $this->curUrlArray['params'] : '';
+               $this->setParams = ($this->curUrlArray['params'] != '-') ? rawurlencode($this->curUrlArray['params']) : '';
 
                        // BEGIN accumulation of header JavaScript:
                $JScode = '
@@ -902,7 +902,7 @@ class browse_links {
                        var add_title="'.($this->setTitle?'&curUrl[title]='.rawurlencode($this->setTitle):'').'";
                        var add_params="'.($this->bparams?'&bparams='.rawurlencode($this->bparams):'').'";
 
-                       var cur_href="'.($this->curUrlArray['href']?$this->curUrlArray['href']:'').'";
+                       var cur_href="' . ($this->curUrlArray['href'] ? rawurlencode($this->curUrlArray['href']) : '') . '";
                        var cur_target="'.($this->setTarget?$this->setTarget:'').'";
                        var cur_class = "' . ($this->setClass ? $this->setClass : '') . '";
                        var cur_title="'.($this->setTitle?$this->setTitle:'').'";