[SECURITY] Link fields accept Javascript code when using URI Data Scheme 82/49082/2
authorValentin Despa <valentin.despa@aoe.com>
Tue, 19 Jul 2016 10:18:09 +0000 (12:18 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 19 Jul 2016 10:18:13 +0000 (12:18 +0200)
JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent that,
the URI scheme and prefix "data:" will be disallowed.

Resolves: #76358
Releases: master,7.6,6.2
Security-Commit: d0eeaa3fe2f0c5736a746c10d4c43aec2bf46174
Security-Bulletins: TYPO3-CORE-SA-2016-014, 015, 016, 017, 018
Change-Id: I3920808e396d7b2b77cd5baa8beb4d6711c86d91
Reviewed-on: https://review.typo3.org/49082
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

index b1e4881..738e52b 100644 (file)
@@ -5715,8 +5715,8 @@ class ContentObjectRenderer
                 // Resource was not found
                 return $linkText;
             }
-        // Disallow direct javascript: links
-        } elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+        // Disallow direct javascript: or data: links
+        } elseif (in_array(strtolower(trim($linkHandlerKeyword)), array('javascript', 'data'), true)) {
             return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];