Commit 2b73e6f6 authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #13249: XSS in TS Object Browser

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@7627 709f56b5-9817-0410-a4d7-c38de5d9e867
parent bbebcf38
......@@ -3,6 +3,7 @@
* Fixed bug #13394: Information disclosure in sysext:sys_actions (thanks to Georg Ringer)
* Fixed bug #13042: XSS in index.php (thanks to Georg Ringer)
* Fixed bug #11617: XSS in template module (thanks to Georg Ringer)
* Fixed bug #13249: XSS in TS Object Browser (thanks to Marcus Krause)
2010-04-09 Michael Stucki <michael@typo3.org>
......
......@@ -320,8 +320,8 @@ class tx_tstemplateobjbrowser extends t3lib_extobjbase {
if ($existTemplate) {
// Value
$out = '';
$out.= $this->pObj->sObj.' =<br />';
$out.='<input type="Text" name="data['.$this->pObj->sObj.'][value]" value="'.htmlspecialchars($theSetupValue).'"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(40).'>';
$out.= htmlspecialchars($this->pObj->sObj).' =<br />';
$out.='<input type="Text" name="data['.htmlspecialchars($this->pObj->sObj).'][value]" value="'.htmlspecialchars($theSetupValue).'"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(40).'>';
$out.='<input type="Submit" name="update_value" value="Update">';
$theOutput.=$this->pObj->doc->section("Edit object/property value:",$out,0,0);
......@@ -330,14 +330,14 @@ class tx_tstemplateobjbrowser extends t3lib_extobjbase {
$url=$BACK_PATH."wizard_tsconfig.php?mode=tsref&onlyProperty=1";
$params=array();
$params["formName"]="editForm";
$params["itemName"]="data[".$this->pObj->sObj."][name]";
$params["itemValue"]="data[".$this->pObj->sObj."][propertyValue]";
$params["itemName"]="data[".htmlspecialchars($this->pObj->sObj)."][name]";
$params["itemValue"]="data[".htmlspecialchars($this->pObj->sObj)."][propertyValue]";
$TSicon='<a href="#" onClick="vHWin=window.open(\''.$url.t3lib_div::implodeArrayForUrl("",array("P"=>$params)).'\',\'popUp'.$md5ID.'\',\'height=500,width=780,status=0,menubar=0,scrollbars=1\');vHWin.focus();return false;"><img src="'.$BACK_PATH.'gfx/wizard_tsconfig_s.gif" width="22" height="16" border="0" class="absmiddle" hspace=2 title="TSref reference"></a>';
} else $TSicon="";
$out="";
$out="<nobr>".$this->pObj->sObj.".";
$out.='<input type="Text" name="data['.$this->pObj->sObj.'][name]"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(20).'>'.$TSicon.' = </nobr><BR>';
$out.='<input type="Text" name="data['.$this->pObj->sObj.'][propertyValue]"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(40).'>';
$out="<nobr>".htmlspecialchars($this->pObj->sObj).".";
$out.='<input type="Text" name="data['.htmlspecialchars($this->pObj->sObj).'][name]"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(20).'>'.$TSicon.' = </nobr><BR>';
$out.='<input type="Text" name="data['.htmlspecialchars($this->pObj->sObj).'][propertyValue]"'.$GLOBALS["TBE_TEMPLATE"]->formWidth(40).'>';
$out.='<input type="Submit" name="add_property" value="Add">';
......@@ -347,8 +347,8 @@ class tx_tstemplateobjbrowser extends t3lib_extobjbase {
// clear
$out="";
$out=$this->pObj->sObj." <b>CLEAR?</b> &nbsp;&nbsp;";
$out.='<input type="Checkbox" name="data['.$this->pObj->sObj.'][clearValue]" value="1">';
$out=htmlspecialchars($this->pObj->sObj)." <b>CLEAR?</b> &nbsp;&nbsp;";
$out.='<input type="Checkbox" name="data['.htmlspecialchars($this->pObj->sObj).'][clearValue]" value="1">';
$out.='<input type="Submit" name="clear_object" value="Clear">';
$theOutput.=$this->pObj->doc->spacer(20);
$theOutput.=$this->pObj->doc->section("Clear object:",$out,0,0);
......@@ -361,10 +361,10 @@ class tx_tstemplateobjbrowser extends t3lib_extobjbase {
$out='';
if (!$this->pObj->MOD_SETTINGS['ts_browser_TLKeys_'.$bType][$this->pObj->sObj]) {
if (count($theSetup)) {
$out = '<a href="index.php?id='.$this->pObj->id.'&addKey['.$this->pObj->sObj.']=1&SET[ts_browser_toplevel_'.$bType.']='.rawurlencode($this->pObj->sObj).'"><b>Add key</b></a> "'.$this->pObj->sObj.'" to Object List (OL)';
$out = '<a href="index.php?id='.$this->pObj->id.'&addKey['.rawurlencode($this->pObj->sObj).']=1&SET[ts_browser_toplevel_'.$bType.']='.rawurlencode($this->pObj->sObj).'"><b>Add key</b></a> "'.htmlspecialchars($this->pObj->sObj).'" to Object List (OL)';
}
} else {
$out = '<a href="index.php?id='.$this->pObj->id.'&addKey['.$this->pObj->sObj.']=0&SET[ts_browser_toplevel_'.$bType.']=0"><b>Remove key</b></a> "'.$this->pObj->sObj.'" from Object List (OL)';
$out = '<a href="index.php?id='.$this->pObj->id.'&addKey['.rawurlencode($this->pObj->sObj).']=0&SET[ts_browser_toplevel_'.$bType.']=0"><b>Remove key</b></a> "'.htmlspecialchars($this->pObj->sObj).'" from Object List (OL)';
}
if ($out) {
$theOutput.=$this->pObj->doc->divider(5);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment