[SECURITY] Link fields accept inline javascript code 77/45277/2
authorOliver Hader <oliver@typo3.org>
Tue, 15 Dec 2015 10:36:44 +0000 (11:36 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:36:52 +0000 (11:36 +0100)
JavaScript can be submitted for every link field and will be
rendered in the frontend passed through typolink. To circumvent
that, the URI scheme and prefix "javascript:" will be disallowed.

The extension "javascript_handler" allows however to bring back
that insecure behavior since some installations might rely on it.

Resolves: #71698
Releases: master, 6.2
Security-Commit: c854186c419f26a109afaf068149a58ef1745f32
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I7dbed505624718010023cd8192ff7174a6a43fa6
Reviewed-on: https://review.typo3.org/45277
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

index 8ab9258..7ede0ea 100644 (file)
@@ -6311,6 +6311,9 @@ class ContentObjectRenderer
                 // Resource was not found
                 return $linkText;
             }
+        // Disallow direct javascript: links
+        } elseif (strtolower(trim($linkHandlerKeyword)) === 'javascript') {
+            return $linkText;
         } else {
             $linkParameter = $linkParameterParts['url'];
         }