[BUGFIX] XSS in TYPO3 core when using typolink.parameter JS-Popup Window
authorMarco Bresch <marco.bresch@starfinanz.de>
Wed, 27 Jul 2011 10:30:04 +0000 (12:30 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:31:23 +0000 (12:31 +0200)
Change-Id: Id1cd396d56358519be2b312d39e25b26cf943253
Resolves: #28189
Reviewed-on: http://review.typo3.org/3765
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/class.t3lib_tstemplate.php
typo3/sysext/cms/tslib/class.tslib_content.php

index 719c6f9..87898b1 100644 (file)
@@ -1472,7 +1472,7 @@ class t3lib_TStemplate {
                        // linkVars
                if ($GLOBALS['TSFE']->config['config']['uniqueLinkVars']) {
                        if ($addParams) {
-                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams));
+                               $LD['linkVars'] = t3lib_div::implodeArrayForUrl('', t3lib_div::explodeUrl2Array($GLOBALS['TSFE']->linkVars . $addParams), '', FALSE, TRUE);
                        } else {
                                $LD['linkVars'] = $GLOBALS['TSFE']->linkVars;
                        }
index 82ccf6d..d8c01d9 100644 (file)
@@ -5902,8 +5902,8 @@ class tslib_cObj {
                                        $target = '';
                                }
 
-                               $onClick = "vHWin=window.open('" . $GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url']) .
-                                       "','FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
+                               $onClick = "vHWin=window.open(" . t3lib_div::quoteJSvalue($GLOBALS['TSFE']->baseUrlWrap($finalTagParts['url'])) .
+                                       ",'FEopenLink','" . $JSwindowParams . "');vHWin.focus();return false;";
                                $res = '<a href="' . htmlspecialchars($finalTagParts['url']) . '"' .
                                        $target . ' onclick="' . htmlspecialchars($onClick) . '"' .
                                        ($title ? ' title="' . $title . '"' : '') .
@@ -6238,7 +6238,7 @@ class tslib_cObj {
                        $newQueryArray = t3lib_div::array_merge_recursive_overrule($newQueryArray, $overruleQueryArguments, TRUE);
                }
 
-               return t3lib_div::implodeArrayForUrl('', $newQueryArray);
+               return t3lib_div::implodeArrayForUrl('', $newQueryArray, '', FALSE, TRUE);
        }