[BUGFIX] XSS in browse_links
authorGeorg Ringer <mail@ringerge.org>
Wed, 27 Jul 2011 10:28:59 +0000 (12:28 +0200)
committerOliver Hader <oliver@typo3.org>
Wed, 27 Jul 2011 10:30:23 +0000 (12:30 +0200)
Change-Id: I24846aa6756cd50942d36b088fb83b128ee8d946
Resolves: #24497
Reviewed-on: http://review.typo3.org/3751
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/class.browse_links.php

index 0870fbc..af430d8 100644 (file)
@@ -872,16 +872,16 @@ class browse_links {
                }
 
                        // Initializing the target value (RTE)
-               $this->setTarget = ($this->curUrlArray['target'] != '-') ? $this->curUrlArray['target'] : '';
+               $this->setTarget = ($this->curUrlArray['target'] != '-') ? rawurlencode($this->curUrlArray['target']) : '';
                if ($this->thisConfig['defaultLinkTarget'] && !isset($this->curUrlArray['target']))     {
                        $this->setTarget=$this->thisConfig['defaultLinkTarget'];
                }
 
                        // Initializing the class value (RTE)
-               $this->setClass = ($this->curUrlArray['class'] != '-') ? $this->curUrlArray['class'] : '';
+               $this->setClass = ($this->curUrlArray['class'] != '-') ? rawurlencode($this->curUrlArray['class']) : '';
 
                        // Initializing the title value (RTE)
-               $this->setTitle = ($this->curUrlArray['title'] != '-') ? $this->curUrlArray['title'] : '';
+               $this->setTitle = ($this->curUrlArray['title'] != '-') ? rawurlencode($this->curUrlArray['title']) : '';
 
                        // BEGIN accumulation of header JavaScript:
                $JScode = '
@@ -892,7 +892,7 @@ class browse_links {
                        var add_title="'.($this->setTitle?'&curUrl[title]='.rawurlencode($this->setTitle):'').'";
                        var add_params="'.($this->bparams?'&bparams='.rawurlencode($this->bparams):'').'";
 
-                       var cur_href="'.($this->curUrlArray['href']?$this->curUrlArray['href']:'').'";
+                       var cur_href="' . ($this->curUrlArray['href'] ? rawurlencode($this->curUrlArray['href']) : '') . '";
                        var cur_target="'.($this->setTarget?$this->setTarget:'').'";
                        var cur_class = "'.($this->setClass ? $this->setClass : '-').'";
                        var cur_title="'.($this->setTitle?$this->setTitle:'').'";